How to Become a Penetration Tester (Ethical Hacker) in 2026

The Bureau of Labor Statistics reports a median salary of $120,360 for information security analysts as of its latest published data, and penetration testers with hands-on certifications often command even more. Demand is not slowing down: the BLS projects 29% job growth for the occupation through 2034, far outpacing most tech roles.

Penetration testing is a narrower discipline than general cybersecurity. Where a security analyst monitors alerts and enforces policy, a pen tester actively simulates real attacks against networks, applications, and cloud infrastructure to expose vulnerabilities before criminals do. That distinction matters when you are planning your education, choosing certifications, and building a portfolio. If you are still exploring the broader landscape, our cybersecurity career path overview covers the full range of roles and entry points.

The biggest tension for career changers is time versus cost. A four-year degree opens doors at large enterprises, but targeted certifications paired with documented lab work can land you an entry-level role in 12 to 18 months.

What Does a Penetration Tester Do?

A penetration tester is paid to break into systems before criminals do. The core idea is straightforward: organizations hire you to launch authorized, simulated attacks against their networks, applications, and infrastructure so they can find and fix weaknesses proactively. That word "authorized" is the bright line separating penetration testing from illegal hacking. Every engagement starts with a signed scope agreement that spells out exactly what you can target, when, and how far you can go.

A Typical Engagement, Start to Finish

Real pen tests follow a repeatable lifecycle, though every gig has its own wrinkles.

• Scoping: You meet with the client to define rules of engagement. Which IP ranges, applications, or physical locations are in play? Are social engineering attacks on the table? What is off-limits?
• Reconnaissance: You gather intelligence, both passively (public DNS records, leaked credentials, social media) and actively (port scans, service enumeration). This phase often reveals more than people expect.
• Exploitation: Using the gaps you discovered, you attempt to gain unauthorized access. This could mean exploiting a misconfigured web server, chaining together several low-severity vulnerabilities, or cracking weak credentials.
• Post-exploitation: Once inside, you determine what an attacker could actually do. Can you move laterally to other systems? Access sensitive data? Escalate privileges to domain admin? The goal is to demonstrate real business impact.
• Reporting: You document every finding with clear evidence, severity ratings, and remediation steps. This deliverable is what the client is really paying for, and writing it well matters more than most newcomers realize.

Pen Tester, Ethical Hacker, Red Teamer: What Is the Difference?

You will see job postings use these titles almost interchangeably, and in practice the skills overlap heavily. That said, the scope tends to differ. A penetration tester typically focuses on a defined target (one application, one network segment) within a set timeframe. An ethical hacker is a broader umbrella term that covers anyone doing authorized offensive security work. A red teamer usually operates under a longer, more adversarial engagement that simulates a real threat actor across an entire organization, often without the defensive team knowing the test is happening. When you are starting out, do not stress too much over titles. Focus on building the core skill set, and the right label will follow.

Where Penetration Testers Actually Work

Understanding the work settings helps you picture day-to-day life in this career. If you are still exploring the broader landscape, our overview of how to become a cybersecurity professional covers the full range of roles and entry points.

• Security consultancies: Many pen testers work at firms that serve multiple clients. You get variety (different industries, tech stacks, and threat models every few weeks) but also travel and tight deadlines.
• In-house security teams: Larger companies employ dedicated offensive security staff. The pace is steadier, and you develop deep knowledge of one environment, though variety is more limited.
• Freelance and bug bounty: Some testers work independently, contracting with companies or hunting vulnerabilities through platforms like HackerOne and Bugcrowd. This path offers flexibility but requires strong self-discipline and a reputation you build over time.

Each setting rewards slightly different strengths, so it is worth thinking early about which appeals to you as you plan your penetration tester career path.

Step 1: Build Your Educational Foundation

There is no single path into penetration testing, and anyone who tells you otherwise is selling something. The reality in 2026 is that roughly 70 percent of employers either require or prefer a degree for pen testing roles, while about 30 percent hire primarily on demonstrated skills and certifications.¹ That split should shape how you plan, not lock you into one route. Let's walk through the three most common options.

Path A: A Bachelor's Degree in Computer Science or Cybersecurity

A four-year degree gives you the broadest foundation: networking, operating systems, programming, and often dedicated coursework in offensive security. It also helps you clear the automated HR filters at large enterprises, government contractors, and defense organizations. If you plan to work in environments governed by DoD 8570 (now DoD 8140), a degree combined with an approved certification is often the baseline expectation. The trade-off is time and cost. You are looking at roughly four years of full-time study before you enter the workforce, plus tuition that varies widely depending on whether you choose an online cybersecurity program or a traditional campus. If you want to understand what a typical cybersecurity degree program covers, it helps to review common coursework before committing.

Path B: Community College Plus Industry Certifications

An associate degree in cybersecurity or information technology paired with certifications like CompTIA Security+ and the Certified Ethical Hacker (CEH) can get you into entry-level security roles in about two years. Many community colleges now offer hands-on lab environments and transfer agreements with four-year institutions, so this path keeps your options open. The trade-off is that some larger employers may still screen for a bachelor's degree, which can limit your first wave of applications.

Path C: Self-Taught, Bootcamps, and a Cert-First Strategy

If you already have IT experience (a year or two in help desk, systems administration, or network engineering), a certification-focused path can work. A realistic timeline here is one to two years of disciplined self-study, lab practice, and earning credentials such as Security+, CEH, and ultimately the Offensive Security Certified Professional (OSCP).² Smaller security consultancies and boutique pen testing firms tend to weight your skills portfolio, capture-the-flag results, and lab write-ups more heavily than a diploma. Candidates who go this route might also consider a structured cybersecurity bootcamp online to accelerate their learning. The trade-off is that you carry more of the burden yourself: you need to build structure, stay accountable, and prove your abilities through tangible artifacts rather than a transcript.

So, Do You Actually Need a Degree?

The honest answer: not universally, but it depends on where you want to work.³ Hiring managers across the industry consistently rank experience and demonstrated ability above formal education. At the same time, a degree opens doors that are otherwise difficult to push through, especially at large organizations with rigid applicant tracking systems. If your goal is to work for a Fortune 500 company or a government agency, a degree will save you friction. If you are targeting smaller firms or building a consulting practice, a strong certification stack and a portfolio of real lab work can carry equal or greater weight.⁵

Regardless of which path you choose, plan to invest in certifications alongside your education. Security+, CEH, and OSCP appear repeatedly in job postings, and they signal to employers that you have validated, hands-on knowledge.² Think of education as the foundation and certifications as the proof of what you can actually do with it.

Questions to Ask Yourself

Step 2: Develop Core Technical Skills

Before you touch your first exploit framework, you need a solid grasp of the technologies you will eventually be testing. Think of it this way: a locksmith has to understand how locks work before learning to pick them. Penetration testing follows the same logic. Here are the four skill areas you should prioritize.

Networking Fundamentals

This is non-negotiable. If you cannot read a packet capture and explain what is happening at each layer, you are not ready for a pen test. Start with TCP/IP, DNS, HTTP/S, subnetting, and common routing protocols. You need to understand how data moves across a network so you can spot where it can be intercepted or manipulated.

The good news is that high-quality resources are free. Professor Messer's Network+ video series walks you through every concept at a comfortable pace. Cisco Networking Academy's free introductory courses let you practice in simulated environments. Spending four to six weeks here will pay dividends for the rest of your career.

Linux Proficiency

Most penetration testing tools, from Nmap to Burp Suite's command-line utilities, run natively on Linux. Distributions like Kali Linux and Parrot OS come preloaded with hundreds of security tools, and employers expect you to be comfortable in that environment from day one.

Get started by installing Kali in a virtual machine and forcing yourself to do everyday tasks from the terminal. Practice navigating the file system, managing users, editing configuration files, and piping output between commands. Over time this becomes second nature, and you will move much faster during engagements than someone who relies on graphical interfaces.

Scripting: How Much Programming Do You Actually Need?

This question comes up constantly, so let me be direct: you do not need to be a software engineer, but you do need to script. Python and Bash are the two essentials. You will use them to automate repetitive tasks, parse scan output, chain tools together, and occasionally write quick proof-of-concept exploits.

A practical starting goal is writing a Python script that takes a list of IP addresses, runs a scan against each one, and formats the results into a clean report. If you can do that comfortably, you have enough programming skill to begin hands-on pen testing practice. You can always deepen your coding abilities later as specific engagements demand it.

Web Application Fundamentals

Web application penetration testing is the single largest subcategory of pen testing work available in 2026. That makes understanding web technologies a priority, not an afterthought. If web app security appeals to you, you may also want to explore application security engineer tools and career paths in that related discipline.

Familiarize yourself with:

• HTTP methods: GET, POST, PUT, DELETE, and how headers and cookies travel between client and server.
• Authentication flows: Session tokens, OAuth, JWT, and how each can be abused when implemented poorly.
• The OWASP Top 10: This list catalogs the most critical web application security risks, including injection flaws, broken access control, and security misconfigurations. Treat it as your study syllabus for web app testing.

You do not need to master all four areas before moving forward. Start building these skills in parallel, dedicating focused blocks of time to each one. Within a few months of consistent study and practice, you will have the technical foundation that the cybersecurity certifications and hands-on stages ahead require.

Step 3: Earn the Right Certifications

Certifications validate your skills to hiring managers who may never see your home lab. The penetration testing certification landscape in 2026 ranges from affordable, beginner-friendly credentials to rigorous, hands-on exams that serve as genuine gatekeepers for senior roles.¹ Choosing the right ones at the right time saves you money and accelerates your career.

Where to Start: Beginner Certifications

If you are new to offensive security, two credentials stand out as accessible entry points.

The eJPT from INE costs roughly $200 to $250 and features a fully hands-on exam.² It is an excellent first certification for proving you can actually compromise systems rather than simply answer theory questions. That said, it rarely appears as a hard requirement in job postings, so think of it as a skills accelerator rather than a resume checkbox.

CompTIA PenTest+ runs about $381 to $392 for the exam voucher and uses a mixed format that combines multiple-choice questions with performance-based labs. Employers list it regularly, and because CompTIA is a widely recognized vendor-neutral brand, it carries weight with HR departments that filter resumes by keyword. For career changers who already hold CompTIA Security+, PenTest+ is a natural next step.

Mid-Career Credentials Worth Considering

• CEH (EC-Council): Priced between $950 and $1,199, the core exam is multiple choice.⁴ Despite criticism from some practitioners who prefer hands-on testing, CEH remains very common in job listings, especially in government and defense contracting roles. It checks a box many employers still require.
• PNPT (TCM Security): At roughly $299 to $400, this hands-on exam simulates a real-world engagement from start to finish, including a professional report and a live debrief.⁵ It is gaining traction in the community, though it is not yet as widely named in formal job postings.
• CBBH (Hack The Box): Costing between $200 and $400, this intermediate, hands-on credential focuses on web application penetration testing.⁶ It is respected among practitioners but is rarely listed as a strict hiring requirement.
• GPEN (SANS/GIAC): The exam voucher alone runs around $949 to $999, and the associated SANS training course adds significant cost. The format is multiple choice.⁴ GPEN appears less frequently in postings than CEH or OSCP but carries strong name recognition in enterprise environments.

The Gold Standard: OSCP

The Offensive Security Certified Professional from OffSec is the certification most penetration testers eventually pursue. At approximately $1,500 to $1,750 for the exam and lab access, it is a serious investment.² The exam is entirely hands-on: you have 24 hours to compromise multiple machines in a controlled environment, then additional time to write a professional report. OSCP appears in a large share of mid-level and senior penetration testing job postings, and many hiring managers treat it as a de facto requirement for dedicated offensive security roles.

That rigor is precisely why it matters. Passing OSCP tells an employer you can identify vulnerabilities, chain exploits, and document findings under pressure.

A Practical Certification Roadmap

You do not need every certification on this list. A focused path might look like this:

• Start with eJPT or CompTIA PenTest+ to build confidence and fill your resume while you are still learning.
• Add CEH if you are targeting government, defense, or compliance-heavy employers that explicitly require it.
• Pursue OSCP once you have at least a year of hands-on practice and feel comfortable with Linux, scripting, and network exploitation.

Certifications are tools, not trophies. Each one should map to a specific career goal or job requirement you have identified in real postings. If you are still exploring which path fits your background, our guide on best online cybersecurity programs can help you pair formal education with the right credentials. Before you spend a dollar, search current openings for the roles you want and note which credentials appear most often. That research will keep your investment focused and your timeline realistic.

The Penetration Tester Career Path at a Glance

One of the most common questions career changers ask is how long it takes to break into penetration testing and advance through the ranks. The timeline below maps a realistic progression, including the certifications most employers expect at each level. Your pace will vary based on prior experience, but this gives you a solid benchmark.

Step 4: Get Hands-On Practice

Here is something every hiring manager in this field will tell you: nobody gets a penetration testing job on certifications alone. Most pen test interviews include a practical component where you are dropped into a vulnerable environment and asked to find and exploit weaknesses in real time. The candidates who thrive in those interviews are the ones who have logged hundreds of hours breaking into systems legally. This step is where you build that muscle memory.

Legal Practice Environments

Several platforms let you practice offensive security skills without risking legal trouble. Each serves a slightly different niche, so mixing two or three into your routine is a smart approach.

• TryHackMe: The most beginner-friendly option. Hundreds of guided rooms are available on the free tier, and you get one hour per day of browser-based attack machine access plus full OpenVPN connectivity to lab networks.¹ Upgrading to the paid plan (about $14 per month or $120 per year as of 2025-2026) unlocks unlimited attack machine time, structured learning paths, and completion certificates you can share with employers.² If you are just starting out, this is a great first stop.
• Hack The Box: Geared toward intermediate and advanced learners who want less hand-holding. The platform features competitive ranked challenges, and retiring machines regularly keeps the content fresh. Expect to struggle more here, which is the point.
• PortSwigger Web Security Academy: Completely free and laser-focused on web application vulnerabilities. If you want to specialize in web app pen testing, this is essential training.
• VulnHub: A library of free downloadable virtual machines you run on your own hardware. Great for offline practice and for learning how to configure your own lab environment, a useful skill in itself.

Capture the Flag Competitions

CTF events are timed hacking challenges that simulate real-world scenarios under pressure. PicoCTF is an excellent entry point designed for students, while the National Cyber League offers a structured season format with individual and team rounds. Placing well in a CTF gives you a concrete, verifiable achievement to list on your resume, and the problem-solving patterns you pick up transfer directly to professional engagements.

Bug Bounty Programs

Platforms like HackerOne and Bugcrowd connect you with real organizations that pay researchers for responsibly disclosed vulnerabilities. This is as close to real-world pen testing as you can get without a job offer. Finding and reporting a valid bug demonstrates exactly the skills employers want to see.

A word of caution, though: do not count on bug bounties as a reliable income stream when you are starting out. Competition is fierce, duplicate reports are common, and many beginners spend weeks before landing their first accepted finding. Treat bounty hunting as a learning accelerator and portfolio builder rather than a paycheck. Any payouts you do earn are a bonus, not a business plan.

Making the Most of Practice Time

Consistency matters more than marathon sessions. Aim for focused daily practice, even if it is only 30 to 45 minutes on a weekday. Document every machine you compromise and every challenge you solve. Those notes become the raw material for the portfolio you will build in the next step, and the habit of thorough documentation mirrors the reporting work you will do on the job. If you are also weighing whether to become a cybersecurity consultant, the same practice environments apply, since consulting engagements often include penetration testing scopes.

Hands-On Practice Platforms Compared

Certifications and coursework give you theory, but penetration testing is a craft you sharpen through repetition. The platforms below let you legally break into vulnerable systems, practice exploit chains, and build the muscle memory employers want to see. Keep in mind that the landscape shifts quickly; the notes here reflect general strengths as of early 2026, so always check current pricing and lab availability before committing.

Penetration Testing and Offensive Security Labs

Several platforms cater specifically to aspiring pen testers and ethical hackers:

• Hack The Box (HTB): Offers a rotating library of vulnerable machines ranked by difficulty. The free tier is surprisingly generous, and the paid "VIP" tier unlocks retired boxes with community walkthroughs, ideal for beginners still learning methodology.
• TryHackMe: Structures content into guided learning paths (for example, "Jr Penetration Tester" and "Offensive Pentesting"). Browser-based labs mean you can practice without configuring a local virtual machine, a real time-saver for career changers studying after work.
• PentesterLab: Focuses on web application security with progressive exercises that mirror real-world vulnerabilities such as SQL injection, authentication bypasses, and deserialization flaws.
• OffSec Proving Grounds: Maintained by the makers of the OSCP certification. "Play" machines are free; "Practice" machines more closely mimic the OSCP exam environment.

Broader Skill-Building Platforms

General learning platforms can supplement your offensive security training with networking, scripting, and cloud fundamentals:¹

• Coursera: Strong in technology and data science content from accredited universities, useful for filling gaps in networking or programming.²
• Pluralsight: Well regarded for cloud and software development courses that help you understand the environments you will be testing.¹
• A Cloud Guru: Focused on cloud and DevOps skills, which matters as more penetration tests target AWS, Azure, and GCP infrastructure.¹
• Udacity: Nanodegree programs in broader tech roles can round out your resume if you are pivoting from a non-technical career.²

Choosing the Right Mix

Most successful candidates combine a dedicated offensive security lab with one broader platform. A practical starting point: pick TryHackMe or Hack The Box for daily hacking practice, then layer in a platform like Pluralsight or Coursera to strengthen supporting skills such as Python scripting or cloud architecture. If you want a more structured academic foundation alongside your lab work, explore online cybersecurity master's degree options that pair well with hands-on training. Track your progress, document your methodology for each box you complete, and you will already be building portfolio material for the next step in your penetration tester career path.

Step 5: Build a Portfolio That Gets You Hired

A penetration testing portfolio is not a design portfolio. You are not showcasing visual flair or creative layout. What hiring managers actually want is evidence of how you think through a problem, how you structure an engagement, and how you communicate findings to people who may not share your technical background. The deliverable of a pen test is a written report, so your portfolio needs to prove you can produce one.

What to Include in Your Portfolio

Think of your portfolio as a curated collection of artifacts that tell a story about your methodology and growth. Strong candidates typically assemble several of the following:

• CTF writeups: Document your approach to Capture the Flag challenges step by step. Walk the reader through your reconnaissance, enumeration, exploitation, and post-exploitation phases. Showing your methodology matters far more than simply listing flags you captured.
• GitHub repositories: Publish custom scripts, automation tools, or proof-of-concept exploits you have written. Even small utilities, like a port scanner with custom output formatting or a script that automates subdomain enumeration, demonstrate that you can code with purpose.
• A personal blog: Write about what you are learning, interesting vulnerabilities you have researched, or breakdowns of real-world incidents. Consistency here signals genuine curiosity and discipline.
• Platform profiles: Maintain active Hack The Box or TryHackMe accounts and link to your progress. Hiring managers increasingly check these profiles the way they once checked LinkedIn endorsements.

Why Reporting Deserves Its Own Artifact

This point is worth repeating because so many beginners overlook it: a penetration tester who cannot write a clear report is only half effective. Include at least one sample sanitized pen test report or executive summary in your portfolio. Strip any identifying details from real engagements (or create one from a lab environment), and structure it with an executive overview, a risk rating table, detailed technical findings, and remediation recommendations. That single document can set you apart from dozens of candidates who only show terminal screenshots.

Boost Credibility With Open-Source Contributions

If you want to stand out even further, contribute to open-source security tools. Submitting a pull request to a well-known project, whether it fixes a bug, adds a feature, or improves documentation, shows you can collaborate in a real development workflow. Writing responsible CVE disclosures, even for minor vulnerabilities in smaller software packages, dramatically increases your credibility. It signals to employers that you understand the disclosure process and can operate professionally within the broader cybersecurity career path.

Your portfolio does not need to be enormous. Five or six carefully documented pieces will outperform a cluttered collection of screenshots every time. Quality of explanation, clarity of methodology, and evidence that you can communicate risk to a non-technical audience are the things that actually get you hired.

Penetration Tester Salary and Job Outlook

The Bureau of Labor Statistics classifies penetration testers under the broader Information Security Analysts category. Nationally, these professionals earn strong salaries at every experience level, and demand is surging. The BLS projects 29% job growth for this occupation from 2024 to 2034, a pace described as much faster than average and nearly ten times the 3.1% growth projected for all occupations over the same period. The table below highlights the top five highest paying states, along with their employment totals and salary ranges from the 25th to 75th percentile, giving you a clear picture of earning potential as you plan your penetration tester career path.

Highest-Paying Metro Areas for Information Security Analysts

Where you live (or where your employer is headquartered) can move the salary needle by tens of thousands of dollars. The table below ranks the top ten metro areas by median annual pay for information security analysts, based on the latest Bureau of Labor Statistics data. Keep in mind that the highest-paying metros, especially those in California and the greater D.C. corridor, also carry a steep cost of living. The good news: remote and hybrid roles have expanded dramatically since 2021, so many penetration testers now earn big-metro salaries while living somewhere far more affordable.

Step 6: Land Your First Penetration Testing Job

Landing a dedicated penetration testing role straight out of a certification boot camp is uncommon. Most hiring managers want to see one to three years of hands-on IT or security experience before they trust someone to simulate real attacks against production systems.¹ Understanding that reality, and planning around it, will save you months of frustration and actually shorten your path.

Realistic Entry-Level Job Titles

When you start searching job boards, cast a wider net than "penetration tester." Titles you should watch for include:

• Junior Penetration Tester: The direct-entry role, but competitive. Employers typically ask for eJPT or CompTIA Security+ at minimum, with OSCP strongly preferred.² Expect salaries in the $75,000 to $95,000 range in 2026.³
• Associate Security Consultant: Consulting firms often hire at this level and rotate you through vulnerability assessments before full-scope engagements.
• Vulnerability Analyst: Focuses on scanning, triaging, and validating findings. A natural stepping stone into offensive work.
• SOC Analyst: Security operations center roles teach you how defenders think, which makes you a sharper attacker later.
• Security Engineer or Network Administrator: These adjacent positions build the infrastructure knowledge that pen testers rely on every day.

Many successful pen testers spent their first year or two in helpdesk, sysadmin, or SOC analyst seats. That foundation in networking, system administration, and report writing (a soft skill employers consistently highlight) pays dividends once you transition into offensive security.¹

Can You Break In With No Experience?

It is rare but not impossible. Candidates who skip the adjacent-role path usually compensate with a strong portfolio of CTF results, bug bounty findings, and a recognized offensive certification like OSCP.⁴ Even then, most land consulting associate positions rather than a pure pen test seat on day one. If consulting appeals to you, the cybersecurity consultant career path guide covers that trajectory in detail.

Remote Work Realities

Penetration testing is more remote-friendly than many security roles. A growing share of job listings on boards like Indeed and specialized sites are posted as remote or hybrid.⁵ That said, certain engagements, especially physical security assessments, internal network tests, or government and cleared work, require you to be on-site. If you prefer fully remote work, web application and cloud pen testing engagements tend to offer the most flexibility.

Choose a Specialization Early

The field is broad enough that specializing can make you more marketable, not less. Consider these tracks:

• Web Application Pen Testing: The largest segment of the market. Every company with a web presence needs this.
• Cloud Pen Testing (AWS, Azure, GCP): The fastest-growing specialization as organizations continue migrating workloads.
• Network and Infrastructure Pen Testing: The traditional core of the discipline, still in steady demand.
• Mobile App Pen Testing: Valuable as mobile-first products multiply.
• IoT and OT Pen Testing: Niche but increasingly critical in manufacturing, healthcare, and energy sectors.

Picking a lane does not lock you in forever, but it gives you a clearer story to tell in interviews and a focused set of skills to deepen. Those drawn to the cloud track, for example, may want to explore a cloud security specialist roadmap to see how offensive and defensive cloud skills intersect.

A Realistic Timeline

From the moment you begin studying to the day you accept a pen testing offer, expect the journey to take anywhere from six months to three years. Career changers with existing IT experience can move faster, while someone starting from scratch will spend time building foundational skills first. If you are still weighing whether a security engineer career path might suit you better, that is a perfectly valid adjacent route. Either way, the combination of structured learning, certifications, hands-on practice, and a well-documented portfolio discussed throughout this guide will keep you on the shortest path possible.

Frequently Asked Questions About Becoming a Penetration Tester

Below are the questions career changers and newcomers ask most often about breaking into penetration testing. Each answer draws on the salary data, certification details, and career timelines covered earlier in this guide.