Penetration Tester Kaiwhakamātautau Mūrere

Penetration testers investigate security weaknesses in online systems and databases. 

Penetration testers may choose to become certified or chartered through associations such as the Institute of IT Professionals.

Penetration testers may do some or all of the following:

  • keep up to date with cyber security threats and software used by hackers
  • analyse how organisations use their IT systems and where security weaknesses may occur
  • attempt to break into IT systems to discover their security weaknesses
  • create tests to identify and exploit weaknesses and security issues in IT systems
  • monitor IT systems to discover new vulnerabilities 
  • produce reports to help organisations correct their IT security weaknesses.

Physical Requirements

Penetration testers spend a lot of time using computers, so they need to know how to use computer equipment properly to avoid occupational overuse syndrome (OOS).

Useful Experience

Useful experience for penetration testers includes:

  • working in IT-related jobs such as IT support technician
  • on-the-job training through IT internships
  • hacking experience gained through study or hacking conferences
  • working on individual IT projects such as setting up your own penetration testing lab or assembling computers.

Personal Qualities

Penetration testers need to be:

  • creative and imaginative as they need to design and create tests
  • good at analytical thinking
  • good at problem solving
  • skilled at verbal and written communication as they have to create reports and communicate with technical and non-technical staff
  • detail-oriented and curious as they have to work on complex technical questions.

Skills

Penetration testers need to have:

  • strong analytical and diagnostic skills
  • knowledge of computer systems, software and technology
  • knowledge of operating and networking systems, methods and devices
  • the ability to do manual and automated security tests
  • knowledge of coding languages such as Java or C++
  • understanding of security software and penetration tools such as Metasploit, Fortify and AppScan
  • up to date understanding of internet threats, hacking tools and current IT security practices 
  • in-depth knowledge of security monitoring.

Conditions

Penetration testers:

  • usually work full time and may also work evenings and weekends, and be on call
  • work in their own or clients' offices
  • work in conditions that may be stressful, because they work to strict deadlines while responding to security threats
  • may travel locally or overseas to meet clients.

Subject Recommendations

A tertiary entrance qualification is needed to enter tertiary training. Useful school subjects include digital technologies, maths, physics and English.

For Year 11 to 13 students, the Gateway programme is a good way to gain industry experience.

Penetration Testers can earn around $100K-$200K per year.

Chances of getting a job as a Penetration Tester are good due to a shortage of people interested in this type of work.

Pay for penetration testers depends on skills, experience and where you work, with pay in Auckland being higher.

Penetration testers can earn $100,000 to $200,000 a year.

Sources: Recruit I.T., 'Auckland Technology & Digital Salary Update, June 2023’; and Recruit I.T., ‘Wellington Technology & Digital Salary Update, June 2023’.

Penetration testers may progress to set up their own business, or move into roles such as: 

  • principal security tester
  • security incident response specialist
  • public speaker and security researcher
  • security software developer
  • security manager
  • chief technology officer (CTO)
  • chief information security officer (CISO).

Penetration testers may specialise in:

  • cloud security – testing the security of data stored on servers hosted on the internet
  • internet security – testing the security of access to computer systems and databases via the internet
  • mobile security – testing the security of smartphones and other portable devices, and the networks they connect to
  • network security – testing the security of the internal computer network of an organisation.

Years Of Training

1-4 years of training required.

There are no specific requirements to become a penetration tester. However, you usually need one or more of:

  • a certificate, diploma or degree, preferably in an IT-related subject such as network engineering, computer science or cyber security
  • a relevant industry-based certification, such as Offensive Security Certified Professional (OSCP) or CREST Ethical Security Tester, which people usually study for after they have IT experience
  • three to seven years’ experience in intermediate-level security roles such as security analyst or related roles such as network or systems administrator, or helpdesk/support technician.

Common ways of gaining IT-related knowledge include learning through online courses and tutorials, and working on your own projects.

Penetration Tester