If you can land a gig as an internal pentester it can be great, downside is that you may not be exposed to to much scenarios in pentesting. It all depends of the company.
Agree completely.
I do tons of internal web apps but don't really get to do much more. Sometimes I wish I got to see a wider range of tests but it's also very chill compared to everything else I see people talk about.
Are you afraid of your skills declining since you might not be a broader range?
It’s tough to find motivation to move on when you’re in a chill environment getting paid well.
Sure definitely a bit afraid I'm getting too much experience in one niche at the expense of the other expected skill sets. CTFs are a fun way to keep everything a little fresh although not usually learning a ton.
Most recently I was grinding out Port Swigger Academy labs (more web apps) but the thing I kind of want to focus on next is mobile (kind of a web app but more code review 🤪). On one hand I see I am actively painting myself into a corner. On the other hand right now it feels like putting time into the other skills wouldn't do much for me aty current job. On the other other hand, it's the stuff I have naturally gravitated towards so it _is_ what I enjoy doing the most of.
In the future if I find myself out of a job and see I have thoroughly fucked my career path... I guess I'll try and start over as a jr dev and try and sell myself through AppSec/pentest background.
I agree with him on a good amount of staff, the pay scale is so true. They want you to have all these certs but pay you 65k. I think there is so many out there that its probably becoming saturated.
In central Europe security is shit pay. A good senior dev in Bratislava can make 4-7k euro monthly depending on skillset, cybersec offers are more like 2.5-3.5k. I always wanted to do security, but can't afford an almost 50% cut compared to my dev job.
Don’t stress it! with the current state in US soon it will be dime a dozen. The market is flooded with workers and not enough opportunities. The field is about to tank as I see more and more companies going overseas for cheaper options.
Interesting, thanks for sharing. I do pentesting in the US and sometimes fantasize in changing to the developer side. Unfortunately I get paid too well and can't justify rebooting my career as a jr dev.
Of course, I mostly meant offensive security roles. The good paying jobs in security are mostly management and compliance here. Then software architects with focus on security, but that's more on the dev side.
Well, when you can open your own hotel for a nickel, I wouldn't expect to get paid alot.
(I'm sorry, it's just everytime Bratislava is mentioned my entire consciousness is flooded with that scene from Eurotrip, as dumb and wholly incorrect as it is)
Many expect a single pentest to fully secure their systems, but that's unrealistic. Pentests often miss vulnerabilities due to time or budget limits, and new threats pop up all the time, making findings obsolete quickly. Plus, if companies don't act on the recommendations, it looks like the pentests didn't work.
I’d also add, it’s human driven. It’s highly susceptible to skills and knowledge a tester can bring, particularly in complex/chained exploits or in exploiting logic conditions.
I love pen-testers, but always hire 3rd parties from reputable firms to conduct tests. Variety of thought and experience is valuable
Ok so. This dude is jaded for some reason. At least to me.
This is a fun job.
But it’s still a job.
And yeah, you won’t make big bucks STARTING out , but the top echelon is nice pay. Just like ANYTHING else.
From the sounds of it - he’s gotten the shit end of the stick on every scenario. When that’s not the reality out in the wild.
After work - if you’re doing application work or mobile - if you wanna keep elevating and getting promoted…you need to keep gaining more knowledge. That’s usually done on your off time. Or you have a good company that gives you time to do it.
I read the article but done agree. At All.
I wouldn't say this guy has gotten the shit end of the stick. He just had completely unrealistic expectations. Doesn't like needing to follow rules of engagement, doesn't like having to explain what he's done, complains that the job is getting harder because good security settings are becoming default.
I think this sentence pretty much covers it:
> The problem is that the business of hacking is much different than OffSec Proving Grounds or HackTheBox Certified Whatever networks.
Some people just want to get paid to break things like a child with a new toy. And while I think there is value in trying to tell college students that *work is work, even for "fun" jobs,* I don't think that message really lands coming from this guy.
Fair points for sure.
I love the job - even with its hang ups.
I understand where he’s coming from with the OSCP to real work. And how that’s absolutely different. But it’s a cert - that teaches ONE aspect of the job.
Besides….imho….this work is extremely rewarding if you keep learning and growing. If not , you’ll stay stagnant and not get promoted or whatever.
I guess the expectation for this guy was shattered, guy expected to be able to pwn boxes on company network with no limitation for a salary of 100k straight out the box, with oscp only.
I guess people saying getting oscp will guarantee a 100k job a few years back did skew expectations.
The amount of salt is high in this one but at least it is a good counter balance for all the "this is a dream job" blog posts.
I hear you.
But I’m self taught also.
Took my 3yrs to get OSCP. And other certs also.
I didn’t secure a $100k job outa the box but I did secure a foothold into a high level consultancy. Full remote.
Now….I did have to do 3 CTF’s and a paid internship for almost a yr to get FTE. But I got in and doin well for sure. I beat out hundreds of applicants with degrees and masters degrees.
I can hack - skills pay the bills.
Props to you and it's definitely possible to motivated people.
It's just not the easy job to 100k some advertise. It needs creds + experience + willingness to learn continually.
Yes sir. Thank you .
Even today - I’m constantly learning new tech and expanding my skill sets.
It’s definitely not easy but damn fun.
And you’re right. There was / is a ton of applicants even now. And we pull in 2 a yr just to try out. Most don’t last. There’s a lot of applicants that just don’t have the mind set(s) for the job.
Aside from serious focus and perseverance-> mindfulness with reporting is crucial too. And a good mindset when you’re not getting anywhere on a gig.
People have been spoon fed that it and infosec in general is instantly six figures. You don't get senior-level pay out of school unless you are working for very specific companies and you are at the top.
The guy doesn't even work as a pentester currently and only briefly worked as one
I'm sorry but that really doesn't represent the state of pentesting in 2024 or any other time
EDR or SIEM or whatever you want to call it?
I'm not big for jargon but those are distinctly different things. If they mean "monitoring", how is that new exactly?
Sounds like a very limited US based experience. I wouldn't take that advice to heart. Seeing people surprised that jobs pay less money in hand in Europe compared to the US is always amusing to me.
I haven't been in the field for long and am not doing red team engagements, so my experience is pretty limited too. That said, from what I've been doing, talking with more senior colleagues and seeing in other's reports what the author is saying sounds like people weren't even doing their job properly. If you work on a red team engagement, can't get past the entrypoint and sit there doing nothing for 2 weeks that's just you being bad at your job. You should have a contingency plan in place for this exact scenario, and should work with the client. Besides I've never seen our red team guy not find a way in on any assessment.
If you think all consulting is like this, any job can be "overrated and disappointing". Pentesting has good and bad sides to it like any job, but I wouldn't blame consulting for people not doing their job properly
I also never heard of people earning a living from bug bounty, nevertheless earning 2x-3x of what pentesting jobs pay.
Not particularly interesting, uni + HTB + decent skills and then searching for jobs at the end of uni. I had about 60 machines on HTB iirc when I got hired, probably more than half of them along with the relevant IppSec video
Lots of people do male a living from bug bounties.
There is some folks, that do make much more than pentesters. People that make millions a year.
The key is getting through the Start of bounties, they got to get invited into private programs, and if you keep getting more you get better programs.
It's hard to get to the point of making money, but people do it.
No the 0.1% of Bug Bounty hunters make millions per year.
Lots of people work for Synack Red Team ect and make a decent living. Lots of people get into the private groups and make a decent living.
"The majority of Bug hunters find 1 or 2 bugs a month" that's people that are not very good at it or haven't got into private programs yet. If you are fighting for scraps on H1 ya you won't make a living, if you are good, and doing it and get into private programs you can.
Plus the .01% of Bug hunters, when there is 100,000s of people doing Bug bounties. There isn't alot of pentesters in the world either.
The key is private programs, all these Bug sites have private groups that get access to special bounties that are not open to everyone. If you get in those you can make okayish money. Same with like Synack which is basically a BBP, and you have to be interviewed and accepted into that.
Then it's a matter of the work you put in, put in little work get little money. Most people can't make money from freelance work like that, because they don't have the drive get easily distracted and don't work. That's not an issue with BBPs, it's an issue of not being a self starter.
>Most people can't make money from freelance work like that, because they don't have the drive get easily distracted and don't work.
So you're saying that if you work at it like a job everyone can make good money? I don't doubt there are a few people making good money, but I doubt the average is any higher than normal jobs
Not everyone per se, again it takes skills to get through the muck. Once your through the muck and into private programs then work it like a Job, those people make money.
It's very hard to find bugs starting out because all of the competition. However if you can find them and prove yourself and get invited into private programs there is way less competition in those.
I'm saying that the consensus that is spread is about open Hacker1 Bugcrowd, where there is millions of people and millions of Bots looking over everything the second it goes live, yes it's pretty much impossible to make money like that. But if you manage to get into private programs, or things like SRT there is a ton of work with only the select few invited to do it, that's a completely diffrent thing.
As far as how much you make, it's going to come down to work put in, and how good of a reputation you have just like any other Freelance work. The better your reputation, the better work you will get.
Reasonable.
Not sure about any percentages, but from what I saw online from medium articles and such it seemed that the average bug hunter wasn't very skilled nor and was just throwing all payloads and tools known to man at pages hoping something sticks. In my opinion that's what a script kiddie would do, not a professional of any kind. Plus the communication skills were.. not good either.
Obviously I don't expect everyone to be the same and I'm sure there are very skilled people in the field, but overall I got the impression it has a pretty low entry barrier and thus attracts lower skill people compared to pentesting.
If you go for private programs, is it any different? Do you get to meet/work with/learn from skilled people or is it the same "throw random payloads hoping something works at some point"?
Scanned it…. It came across to me that he was disappointed that he didn’t get to play with the fun stuff much…. That’s work though isn’t it?
As regards having to do the client facing stuff and support the business…
That’s also part of the job.
Not really - my point is that it’s a job and all jobs have shitty parts you don’t enjoy doing . I mean I used to work in a recording studio, I got to hang out with famous people, I had input into songs you hear on the radio, I learnt great skills, I had “other benefits”…. I still had to vacuum the floors, do the accounts, deal with some absolute arsehole clients and even occasionally clean toilets though….
There's a fair amount of stuff that I agree with, but some I don't. Everything is anecdotal and individual experience, but there are some common trends.
First off, Penetration Testers -are- in demand, but most companies don't want to pay them what they're worth. This isn't an issue unique to pen testers, but most forms of careers out there. This is because we're umbrella'd under security, and companies view us as money sinks and not money makers, even if we're the ones that allow them to SECURELY make money in the first place and keep it.
Getting -in- as a penetration tester is hard. I would say that the author is delineating between what seniors are viewed as and juniors. I have seen plenty of average pen testers not expected to come up with their own TTPs, their own n-days, and various other things. That is what developers are for. There ARE some places where the testers and developers wear the same hat, but those are places you want to AVOID. You're doing the job of two people at that point, likely not getting paid for both jobs, and it's no wonder that you're losing out on your life by working near damn constantly.
Additionally, there are contractor and even network penetration tester civilian positions in the public sector that go woefully unfilled that can be an excellent way for people looking to get started with just their certifications. That is how I got my start, but I did laterally move into what I was doing.
Good network penetration testers are worth their weight in gold to the companies that understand their value, and you will get paid far beyond what this guy is saying once you get the experience. I consider myself little more than a glorified script kiddie at the end of the day, but I know enough to be dangerous, and I'd be considered a "journeyman" level penetration tester -- but I still get compensated way more than what is being said in this article.
I personally do lots of fun stuff when I conduct pentests and I don’t recognize most of his points.
I do think that the concern you need a lot of experience for penetration testing is true. I had years of experience in IT before I started my first pentest. It’s great you have a certificate but I personally think you need to have background knowledge, too. Everyone can run tools, but can you also help your client with decent advice on resolving things, or will you only redirect them to a website?
I ran penetration testing controls at one of the too big to fail banks for 5-6 years. I had lots of success turning software developers into pentesters for the same reasons that you said, it's much more effective at resolving the issues and the conversation between the team is a lot less hostile because the application teams feel they are talking to someone who understands.
Some of the comments are on point - like to advance at a consulting company you need consulting skills more than technical skills. And the harder you work to keep your skills sharp, the better you'll be. Also, the comments around CISOs need to see value. What isn't said in the article is that pentests don't have particularly high value regardless of the level of success. However, people outside security ask about pentests so they have to be done. That's why pentests are so cheap and fixed price.
Functionally, pentests either succeed or fail. If they fail, they have proven that that person can't get into the asset at that particular time. Another person at the same company may well be successful, but who knows. A new vulnerability may be discovered the next day making the pen test results irrelevant. So the asset is safe from 1 tester until something changes. If they succeed, there is limited value in that there's 1-2 kill chains that need to be broken.
Most enterprise security organizations have many more places where they can put money in terms of validation and security posture improvement/risk reduction, but they are forced via external means to do pentesting. Because that's the word non-security people know.
As to staying a pentester or not - it's the usual: do you like your job, and do you get paid enough to do the things you want to do when you're not at your job? If AND = 1, then sure. It'll be around for a while.
>A new vulnerability may be discovered the next day making the pen test results irrelevant.
Had the case recently with Ivanti, between the report and the final meeting, the CVE went public.
If you like the work and can do the actual job well, it's a decent way of making a living.
But if you're primarily interested in making more money, security engineering and sales roles will make a lot more money.
I think the reason behind the lower pay is because pen-testing is something you don’t have to have 24/7, it is just a once in a while task. Where on the other hand, blue teams need to be always active.
So from a risk point of view, blue team folks are considered much more valuable as a control to be in place and that’s why they are paid more.
Just a thought
Well, this feels clickbaity but it really depends on what you want and what you make of it. I think the initial appeal and the reality of day one might be in part explained by some part of the dunning-kruger effect. When your shell flops on an active connection it might be less glam than you imagined.
Obv I’m not on red but a lot of the frustration I see over there when working with blue is that blue is much much slower than red, both in an exercise and on the roadmap. And sometimes a gap you find and expose gets filed away and never fixed. As for pen test, some say every engagement its the same, they bring the same kill chain more or less, some minor tweaks, and then write up the same report. Blue has plenty of problems, mind you. It’s Always greener on the other side maybe?
Don't forget that a pen test is also a great opportunity to check the effectiveness of your EDR / SIEM / IPS. Do a forensics tabletop immediately following the test and see if you can find any breadcrumbs or your protection identified a threat.
Only read the engagements part. I heavily disagree with him (as an internal red teamer)
About dropping EXE’s - you can drop files whenever where ever if needed
Using Powershell - I would avoid using powershell altogether.. he should be doing stuff in memory anyways.
Using AV killers - never needed to use it, but it’s definitely not off the table.
Touching prod - he’s right you can’t go breaking shit in prod & so it’s best to stay away from risky moves.
EDR Reality - it is extremely difficult to know how to bypass EDR without having one you can test with. So he’s right in that EDR is getting harder to bypass and requires more resources develop solutions to bypass it.
Strongly disagree to many of the objections raised in this article. First off, lol:
> The market is also hot for web app people. Why? Because if you’re worth a shit at web apps you’re doing bug bounty and making 4–5 times what a consulting firm is willing to offer.
Clearly this person has never done bug bounties. They also don't know the pay ranges of cybersecurity consulting. Take this post with a grain of salt, especially because they are not a pentester in practice.
> Is it wiser today to be a blue teamer and find a right spot in a good company?
Generally speaking, I think blue team has always been where the money and careers are at. Yes there are some rockstar red teamers who get to do some crazy things an d make a lot of money, but at the end of the day, a business is more focused on building up it's infrastructure rather than testing it for flaws. You cannot scale your business to a million users without paying for a sys or cloud admin to help you. You can scale your business to a million users and never pay for a red team engagement. There may be some risks, but you can do it.
Yes, testing for flaws is obviously an important part of building and scaling up, but it's more easily waylaid than the blue teams main focus of building a functioning network that enables the business to operate. That importance to the core of the businesses operations and ability to generate revenue is why blue team jobs pay so much more than red team. Because they can easily and reliably tie a dollar value to not having a blue team role filled, whereas a vacant red team role, ehhh??? I mean, our engineers are pretty top notch, they have good security policies in place, maybe not perfect but good enough. What are the chances of actually having a breach? Do we really need to pay 250K for a red teamer?
Part of why red team is so prominent in the industry is because they are the cowboys. They get to do the cool fun stuff, whereas the sys admins are kinda seen like the boring accountants of the industry.
Interesting to see the tide shift for offensive security folks. A lot of it sounds true. If you are pure exploit finder, the tech stacks are growing out from underneath you at a pace that's hard to keep up with even superficially. Sensible dev defaults are becoming ... well, the default, ... so expect systems to be harder to crack out of the box. Add to that you will see extremely stiff competition from generative AI and I fully expect that Neuromancer-style icebreakers will pop into existence over the next few years.
- Earning a living from bug bounties is so far out of the realm of what's possible, it's not even funny as a light-hearted strawman. Sure, if you're living in a low cost of living country and farm your own potatoes to survive, of course you could make it. But in the global north, forget about it.
- Run-of-the-mill security people aren't compensated well, because they lack skills. It's 2024, so yes, you should be intimately familiar with a bunch of tech stacks. Dude, when high school grads have more dev experience than you, you should look inward.
- The fact that you haven't found anything is extremely valuable, but only when you tell me what your testing methodology was and how you used the tools. If you let me peek into your skillset and give my people a learning opportunity, your services are worth more to me.
- If you can't stick to your rules of engagement, and complain about it, again: you need to look inward.
- If you are a freelancer, isn't it expected that you spend 50% of your time improving your skillset, taking the courses and getting the certs? Of course folks are asking for the cert, it's the cyber sec equivalent to asking for a college diploma or a master? Is the author expecting that "trust me, bro" is going to convince folks of his skills in a competitive market?
Half of this article sounds like complaining that he had to be a big boy and go to meetings and do client work, instead of sitting around like a 90s hacker doing all the kewl stuff.
And the other half is him complaining that PenTesters are expected to be able to do all the kewl stuff and he couldn't.
Many companies only test to meet compliance and insurance. So they usually go to a big-box shop like ones that start with an O. These shops are usually staffed by a lot of inexperienced paper tigers whose job is to slap a phone book of vulns on the corprate meeting table. This is what drags the pay down. I only use small shops with experienced pentesters to test specific TTP's and areas of the enterprise, and as a result, we pay a premium for it. I also know that with experience, they're more likely to not tip something over. You want quality, you have to pay for it, which is exactly how it should be. The companies that hire low-dough are also the ones to have tests that are photocopies of prior years.
I think part of the problem is that pen-testing is seen as a "regulatory check-box" thing. A huge number of organizations don't actually want to pen-test, and ignore most of the results. The result is that it's seen as a paperwork job, which explains the low pay rates and "commodity position" thinking.
If organizations used pen-testing correctly - to identify issues and discover remediation/mitigation methodologies - things might be going better in that area of the market.
The thing about getting into pentesting is that for your first role, you are most likely going to be working for a consultancy.
Larger consultancies have a lot of churn, and this really makes or breaks a lot of people. There are a lot of pentests that are done purely as a checkbox, and beginner pentesters often get shafted with them.
I think it's a lot different when you are working internally for a specific org within a larger cybersecurity function, which tends to be a lot less soul crushing. Even better if you're in Security Engineering imo.
I absolutely love being a pentester as a consultant, always new challenges. If you get to a place where you work for a really good firm, you'll probably be very happy with the role. The really good firms often charge more too, letting you make more money. I make more money doing this than any other role I've had.
This article sounds like someone who didn’t really know what the job entailed and comes across bitter at an industry because it’s not wheat he thought it would be. I do agree there are bad consulting companies and bad pentesters. There is a reason a reputable, good company costs money.
I do agree the entry level position idea is a bit misleading. I also think HR and job recruiters don’t actually understand what is needed and job descriptions are laughable. However, you don’t need 10 years experience and all that other stuff. If you get into cyber security because you think every position is high paying and you’re in it to make money then you’re in it for the wrong reason. Security jobs and IT jobs will burn you out if you’re just in it for the pay day.
Lastly, the fact the article is peppered with statements about not knowing certain things and being new to this, I’m not sure how that qualifies anyone to talk about how someone shouldn’t be a pen tester. What I tell people that ask me is find your passion, find out what you love doing then go pursue that. This article sounds like someone who thought security was cool and had a bad experience with a bad firm and decided this is how the industry is. So, they went back to being an admin because they could make more money.
**"On a side note, have you noticed how many “training” sites there are now? It’s almost like people are making more money teaching hacking than actually doing it. Everytime I turn around I see a new EDR evasion, Malware Dev, REAL HACKER training course popping up. Strange huh?"**
Because there is not enough decently paying jobs for these roles. Why create a YouTube channel based on what you do in your day-to-day when you can sell someone a dream lol. I saw a young women selling a DevOps bootcamp for 2-3k and you cant even keep the material the other day.
If you want training, either go with THM or HTB. Everything else just seems like noise at this point. TCM is also a good option based on the support you get.
I'm skeptical. They say AI will solve cybersecurity in the next 10 years at least to the point where most technology companies drop pen testing entirely... and then they go on to imply that AI is the reason for the tech layoffs which have happened in the last few years!
This person seems to have technical chops but also a foundational misunderstanding about the trends in the industry. Maybe it's just lack of experience, but I wouldn't put much stock in their conclusions about the industry overall.
Hacking as a job is very different from hacking in your spare time, or as part of a training course... Agreed, of course, how could it not be.
AI will replace appsec, AI is the reason for mass layoffs post covid... simply not correct.
Seek out red teams who have testers that are former blue teamers. It’s hard to begin a career in pentesting without really ever working with the platforms you are testing.
Pentest is overrated as far as careers go. If you love doing it, that's great. Just understand that there are a WHOLE LOT MORE blue team/defensive jobs out there than red teams.
There is so much more to security than pentest. Pentest is a tiny fraction of it. But it's what get all of the sexy scenes in movies so everyone wants to do it.
I've worked for a lot of companies including some big names you would know and none of them employed their own red team. On the very rare occasions that they did need a red team (a couple of weeks every couple of years, typically) they would contract it out to one of the relatively few red team contractor companies out there.
And you have to be constantly up on the technology. Constantly learning. There's always new stuff coming down the pipe. Are you really going to be doing this for your whole career? Probably not. But you can't all go on to be managers or run your own pentest company. So think about the future too. Burnout is real.
Just like a lot of other stuff in life, you gotta eat some veggies to get dessert. This guy didn't want to eat his veggies, and now wants to take other people with him. Skill issue.
Our company specifically employs third party because those guys tend to be exposed to more “tricks” than internal guys since they work on multiple unknown networks. Food for thought
We used third party testers for years, the same firm, but new operators every time. We wanted the best simulation of skilled adversaries so we let them go to town with few rules. Don't break anything, and let us know before an exploit was executed, otherwise take the gloves off and go for it. They loved us and we got great tests, any serious findings were taken care of in days, if not hours.
Whoever wrote that seems like a tryhard crybaby.
There is always a market for good pentesters. Some people are better or worse than others, and the same goes for companies.
At the end of the day, like everything else, it comes down to proper scoping and execution.
I get tremendous value from my third party pentesters.
The problem now is: There are third-party solutions to handle that where you don't "need" a full-time position allocated, as far as many companies are concerned. Not saying that is right, but companies love to cut cost and if they see an alternative, they will. I say this as a company that offers these types of solutions as an add-on to our risk management solution. It was originally geared towards smaller companies that could not afford a full-time employee for the job. What we have found is the large clients wanted it as well. Personally, I think companies should have an internal expert and use the third parties as a validation.
There's a few good points in there but.... It just sounds to me the dude got sold a dream, and was very disappointed that his expectations didn't match reality.
Like every other job, it is dependent on the company that you work for; pay, work-life balance, interesting systems to test on, etc. I would actually argue that blue team is more stressful and deserves higher pay. This is coming from a pentester and red teamer.
I read the short article. Was this some sort of special-needs camp or camp for troubled youngsters? Why would they have to put an alarm device on the bivy to prevent the child from opening it? In what world would that type of device even need to be used or kept on hand??
This article just seems like a pen tester hit piece for someone who couldn't cut it or wanted more money than he was worth. Like everything, your experience depends on where you work, we were strictly 8-4, M-F and we were doing 10+ concurrent external pen tests in a 4 week period. If you wanted to set-up servers or payloads after hours you could, but we weren't expected to.
For the teaching a course thing, there are plenty of free resources out there to learn a ton. Black Hills Info Sec's youtube channel has awesome courses where you can learn a lot.
With AI on the horizon, I think pen testing may be on the wayside for everyone aside from the goat's who craft zero-days in their sleep. Companies are also notoriously cheap, so if someone can craft some auto "pen testing" tool that tests monthly, they will choose that over calling a firm in once a year. We are already seeing that from our bigger client, they want a continuous monitoring solution as opposed to the once a year testing they were doing. I think we have a good 5-10 years before this happens, but we are already pivoting for this scenario by pivoting into other security related services and not focusing so much on the pen testing services.
There are probably only 10-20 companies worldwide that do it properly and that you'd actually want to work for in this particular niche. To find them you just need to see who's actually putting out novel research - mdsec, trustedsec, specterops and the like. The rest just pump out reports, hire unskilled guys and spend zero on R&D. These guys are still probably able to complete objectives in immature environments despite the increasing barriers to entry and that's the clientele they target.
IMO the guy is way off when he says you need 10 years of experience, CVEs etc. Seen plenty of people in pentesting roles that don't have any of these and that frankly probably struggle with easy HTB boxes. He's right about people that are really good in this space making more money outside of the 9-5, many are doing both though, it's often complementary. If you're not a moron you just do the bare minimum in the 9-5, get a work from home job, and use whatever time you have on the side gig.
But certainly wouldn't go into it with the idea that you're actually making any difference. Execs could not care less about this stuff. Understand their incentives, they only care about their bottom line. Problem with the guy who wrote that blog is he cares way too much. Fuck the client and fuck your own company. You're there to get paid, collect and that's it. But yes consulting is shit and all consultancies gives a shit about is billable hours, nothing else matters. If you want a relaxing job avoid consultancies at all costs and get some internal cloud admin/architect type of job.
Without a doubt to have deep expertise in this field requires an insane amount of knowledge. But you don't need to know it all, no one does. Don't know what he's talking about by having to memorize syntax, no one does that. Cheat sheets exist for a reason. As for all the rules of engagement restrictions, just gotta be more creative. A lot of low-tech stuff still works. 95% of breaches are carried out by absolute noobs using TTPs that should have got them flagged 10 years ago but they're still working. Yeah EDR making things harder but that just means post exploitation workflows are changing, there are alternatives to dropping tools on disk or needing local code execution. I think the guy's issue is he's thinking he's gotta go all mission impossible on some mom & pop type operations. Most environments should still be a piece of cake to own for anyone with a modicum of skill even without access to next-gen implants, red team infrastructure, ci/cd pipelines, 0days, bleeding edge TTPs etc.
TLDR If you want to be a Penetration Tester, you need to be intimately familiar with the technologies you work with. You’ll also probably take a pay cut if you are a 20 yr Sys Admin working for a Fortune 100 and get a job as an entry level tester.
That is like saying “water is wet” and should be no surprise that their payloads have to constantly be updated to bypass AV and EDR. Also, you may be able to break over $120k in a given year on bug bounties but you cannot guarantee to consistently have that level of income.
I have done OSEP, OSDA, OSWA & OSCP alongside CeH.
I was into IT, pivoted to audio engineering, and now trying to get back into IT after 3 years of gap.
I thought I would end up landing one decent job, but after reading this, it feels like I have made a mistake of my lifetime.
Is that the reason I was unable to land any interviews at all, despite applying for more than 100 companies?
If anyone can help me with this, please do! Appreciate all the help I can get! 🙏🏻
Cyber careers got killed by inability of system to produce quality schooled professionals to match the demand.
As we have a pano at the entrance
"Security is always considered as unnecessary expense until a breach happens" - tells a lot.
My suggestion is that you need to go through whole "process flow". Work as support agent. Work as developer. Work as System Administrator. Network Engineer. Work as a team lead. Work as a project manager coordinating devs, sysadmins, and customers. Finally get some experience as CTO.
Trust me, you will eat alive all these "guys with certificates heavier than they can carry."
You will "learn how to learn what you need quickly with resources you have at the time" - and that's the definition of hacking.
What should be legally banned is issuing "Certified hacker" certificates or similar oxymorons.
Love this, very honest look into the market. Happy I didn’t put all my eggs into pen test since I’m sure I would still be searching for a job. Always keep your avenues open. If you really want to do pen test, do bug bounty on your own time.
Overrated? Never. Disappointing? Absolutely.
This is all my opinion because I'm not a technical person and this might or might not ruffle feathers. I'm just really good at finding vulnerable targets and take the "pwn once to own" mantra very seriously. (A free tip: old, uber-rich people like the ~1,300 billionaires and ~30,000 centi-millionaires hanging around have expensive hobbies and most of those hobbies are supplied by small businesses with extremely poor security around their financial information. Take that for what you will.)
Pentesting and redteaming have no existence outside of crime, compliance, DoD/government, and is rarely budgeted for by non-essential businesses. It's just a sad reality of life where consultants recommend paying ransomware gangs over securing infrastructure, turning a blind eye to state actors, and suing the shit out of anyone who tries to do a good deed.
It also seems like most people who want to get into pentesting just want a fun and exciting career that they can invest their entire life into....... between 9-5am Mon-Fri and expect salaries exceeding 200k. Nobody wants to talk about scraping 60k a year getting up at 1am to trip alarms until the police/security gets bored and stops checking the perimeter. Nobody wants to talk about the mound of paperwork you need to fill out at 6:00am to turn in at 9:00am. Nobody wants to talk about the contractual and statutory legal risks whenever an event is scheduled. Nobody ever wants to talk about the actual work-life balance that's forfeited. Nobody wants to talk about insurance liabilities: who here can explain what Errors and Omissions coverage is? What would you do if you're accused of malfeasance and sued? C-suits are very irrational like that. What happens when you do an oopsie and the FBI is breathing down your neck? What about when you get into DoD work? That's an ocean within an already-murky ocean of compliance with the proverbial "barons" that you'll be playing devil's advocate against. What about when you're target #1 for state actors like China, Korea, and Russia? Germany? Israel?
Next is the actual skillset. Most people in IT tend to function within the spectrum. You have to have the charisma to function, at bare minimum, within a team. Nobody has time to deal with some blowhard sniffing their piss all day. Outside of that, you're working with very sensitive clients and stakeholders as a consultant or business partner. You need to be as suave as James Bond and as ruthless as Steve Jobs. Any technical aptitude is always secondary to having people skills unless you're a one-in-a-million Mitnick and the CIA wants you. And as the article stated, you need to be bringing home the bacon.
I've mentioned this before, but redteaming and pentesting more of a way of life, not a white-collar career. It's the digital equivalent of a 11b/03xx, and you're not signing up to go home at 1900. Blueteaming will always be more appealing because:
*Lower barrier of entry
*Stable schedule
*You're not liable to be sued/physically harmed
*Faster career progression
*Generally a larger pool of career paths and advancements
*Generally a stable job that will always be around
*You're only really dealing with your boss/supervisor
*Once you get experience, you can pretty much apply anywhere
I'm a nobody and claim as such because I really am a nobody who does freelance work, but I still stand by my opinion even in spite of the Reddit hivemind. I'm also humble enough to accept correction, so if you feel like I have been way out of line, I would like to read why and correct myself.
The market isn't good. Companies don't want to spend extra money on "extra" items that isn't specified in regulations. If they want a yearly pentest, maybe find some consultant to sign a vulnerability report
If you can land a gig as an internal pentester it can be great, downside is that you may not be exposed to to much scenarios in pentesting. It all depends of the company.
Agree completely. I do tons of internal web apps but don't really get to do much more. Sometimes I wish I got to see a wider range of tests but it's also very chill compared to everything else I see people talk about.
Are you afraid of your skills declining since you might not be a broader range? It’s tough to find motivation to move on when you’re in a chill environment getting paid well.
Sure definitely a bit afraid I'm getting too much experience in one niche at the expense of the other expected skill sets. CTFs are a fun way to keep everything a little fresh although not usually learning a ton. Most recently I was grinding out Port Swigger Academy labs (more web apps) but the thing I kind of want to focus on next is mobile (kind of a web app but more code review 🤪). On one hand I see I am actively painting myself into a corner. On the other hand right now it feels like putting time into the other skills wouldn't do much for me aty current job. On the other other hand, it's the stuff I have naturally gravitated towards so it _is_ what I enjoy doing the most of. In the future if I find myself out of a job and see I have thoroughly fucked my career path... I guess I'll try and start over as a jr dev and try and sell myself through AppSec/pentest background.
I would love that. Sounds like a sweet gig
I agree with him on a good amount of staff, the pay scale is so true. They want you to have all these certs but pay you 65k. I think there is so many out there that its probably becoming saturated.
Austria and bad luck: best I can pay is 42k 🤣
In central Europe security is shit pay. A good senior dev in Bratislava can make 4-7k euro monthly depending on skillset, cybersec offers are more like 2.5-3.5k. I always wanted to do security, but can't afford an almost 50% cut compared to my dev job.
I have the same problem. As lead dev and technical architect I get more than a good payed junior pen tester/ red teamer and that cut hurt too much
Don’t stress it! with the current state in US soon it will be dime a dozen. The market is flooded with workers and not enough opportunities. The field is about to tank as I see more and more companies going overseas for cheaper options.
I don't see many security jobs from US going abroad, especially cause they often do government contracts that require clearance.
I should have been more clear. Excluding Defense and Gov jobs.
Interesting, thanks for sharing. I do pentesting in the US and sometimes fantasize in changing to the developer side. Unfortunately I get paid too well and can't justify rebooting my career as a jr dev.
There are more roles within the security field than just pen testing.
Of course, I mostly meant offensive security roles. The good paying jobs in security are mostly management and compliance here. Then software architects with focus on security, but that's more on the dev side.
Well, when you can open your own hotel for a nickel, I wouldn't expect to get paid alot. (I'm sorry, it's just everytime Bratislava is mentioned my entire consciousness is flooded with that scene from Eurotrip, as dumb and wholly incorrect as it is)
perfect i mean this is precisely why company’s/domains have more than enough tolerated risk to get my hands dirty with
You can afford it if you really wanted. The problem is getting out of the comfort zone 🤷♂️
Many expect a single pentest to fully secure their systems, but that's unrealistic. Pentests often miss vulnerabilities due to time or budget limits, and new threats pop up all the time, making findings obsolete quickly. Plus, if companies don't act on the recommendations, it looks like the pentests didn't work.
This. It’s why any reputable pen test report will have a disclaimer stating that the test is a “point-in-time” assessment only
I’d also add, it’s human driven. It’s highly susceptible to skills and knowledge a tester can bring, particularly in complex/chained exploits or in exploiting logic conditions. I love pen-testers, but always hire 3rd parties from reputable firms to conduct tests. Variety of thought and experience is valuable
Ok so. This dude is jaded for some reason. At least to me. This is a fun job. But it’s still a job. And yeah, you won’t make big bucks STARTING out , but the top echelon is nice pay. Just like ANYTHING else. From the sounds of it - he’s gotten the shit end of the stick on every scenario. When that’s not the reality out in the wild. After work - if you’re doing application work or mobile - if you wanna keep elevating and getting promoted…you need to keep gaining more knowledge. That’s usually done on your off time. Or you have a good company that gives you time to do it. I read the article but done agree. At All.
I wouldn't say this guy has gotten the shit end of the stick. He just had completely unrealistic expectations. Doesn't like needing to follow rules of engagement, doesn't like having to explain what he's done, complains that the job is getting harder because good security settings are becoming default. I think this sentence pretty much covers it: > The problem is that the business of hacking is much different than OffSec Proving Grounds or HackTheBox Certified Whatever networks. Some people just want to get paid to break things like a child with a new toy. And while I think there is value in trying to tell college students that *work is work, even for "fun" jobs,* I don't think that message really lands coming from this guy.
Fair points for sure. I love the job - even with its hang ups. I understand where he’s coming from with the OSCP to real work. And how that’s absolutely different. But it’s a cert - that teaches ONE aspect of the job. Besides….imho….this work is extremely rewarding if you keep learning and growing. If not , you’ll stay stagnant and not get promoted or whatever.
I guess the expectation for this guy was shattered, guy expected to be able to pwn boxes on company network with no limitation for a salary of 100k straight out the box, with oscp only. I guess people saying getting oscp will guarantee a 100k job a few years back did skew expectations. The amount of salt is high in this one but at least it is a good counter balance for all the "this is a dream job" blog posts.
I hear you. But I’m self taught also. Took my 3yrs to get OSCP. And other certs also. I didn’t secure a $100k job outa the box but I did secure a foothold into a high level consultancy. Full remote. Now….I did have to do 3 CTF’s and a paid internship for almost a yr to get FTE. But I got in and doin well for sure. I beat out hundreds of applicants with degrees and masters degrees. I can hack - skills pay the bills.
Props to you and it's definitely possible to motivated people. It's just not the easy job to 100k some advertise. It needs creds + experience + willingness to learn continually.
Yes sir. Thank you . Even today - I’m constantly learning new tech and expanding my skill sets. It’s definitely not easy but damn fun. And you’re right. There was / is a ton of applicants even now. And we pull in 2 a yr just to try out. Most don’t last. There’s a lot of applicants that just don’t have the mind set(s) for the job. Aside from serious focus and perseverance-> mindfulness with reporting is crucial too. And a good mindset when you’re not getting anywhere on a gig.
>This is a fun job. But it’s still a job. Unexpected Cypress Hill
Fuckin take my upvote. 💯
People have been spoon fed that it and infosec in general is instantly six figures. You don't get senior-level pay out of school unless you are working for very specific companies and you are at the top.
Agreed.
The guy doesn't even work as a pentester currently and only briefly worked as one I'm sorry but that really doesn't represent the state of pentesting in 2024 or any other time
EDR or SIEM or whatever you want to call it? I'm not big for jargon but those are distinctly different things. If they mean "monitoring", how is that new exactly?
Sounds like a very limited US based experience. I wouldn't take that advice to heart. Seeing people surprised that jobs pay less money in hand in Europe compared to the US is always amusing to me. I haven't been in the field for long and am not doing red team engagements, so my experience is pretty limited too. That said, from what I've been doing, talking with more senior colleagues and seeing in other's reports what the author is saying sounds like people weren't even doing their job properly. If you work on a red team engagement, can't get past the entrypoint and sit there doing nothing for 2 weeks that's just you being bad at your job. You should have a contingency plan in place for this exact scenario, and should work with the client. Besides I've never seen our red team guy not find a way in on any assessment. If you think all consulting is like this, any job can be "overrated and disappointing". Pentesting has good and bad sides to it like any job, but I wouldn't blame consulting for people not doing their job properly I also never heard of people earning a living from bug bounty, nevertheless earning 2x-3x of what pentesting jobs pay.
What was your path to pentesting like?
Not particularly interesting, uni + HTB + decent skills and then searching for jobs at the end of uni. I had about 60 machines on HTB iirc when I got hired, probably more than half of them along with the relevant IppSec video
Lots of people do male a living from bug bounties. There is some folks, that do make much more than pentesters. People that make millions a year. The key is getting through the Start of bounties, they got to get invited into private programs, and if you keep getting more you get better programs. It's hard to get to the point of making money, but people do it.
Not "lots" of people. The top 0.1% of Bug Bounty hunters are able to do that but the vast majority find like 1 or 2 bugs a month
No the 0.1% of Bug Bounty hunters make millions per year. Lots of people work for Synack Red Team ect and make a decent living. Lots of people get into the private groups and make a decent living. "The majority of Bug hunters find 1 or 2 bugs a month" that's people that are not very good at it or haven't got into private programs yet. If you are fighting for scraps on H1 ya you won't make a living, if you are good, and doing it and get into private programs you can. Plus the .01% of Bug hunters, when there is 100,000s of people doing Bug bounties. There isn't alot of pentesters in the world either. The key is private programs, all these Bug sites have private groups that get access to special bounties that are not open to everyone. If you get in those you can make okayish money. Same with like Synack which is basically a BBP, and you have to be interviewed and accepted into that. Then it's a matter of the work you put in, put in little work get little money. Most people can't make money from freelance work like that, because they don't have the drive get easily distracted and don't work. That's not an issue with BBPs, it's an issue of not being a self starter.
>Most people can't make money from freelance work like that, because they don't have the drive get easily distracted and don't work. So you're saying that if you work at it like a job everyone can make good money? I don't doubt there are a few people making good money, but I doubt the average is any higher than normal jobs
Not everyone per se, again it takes skills to get through the muck. Once your through the muck and into private programs then work it like a Job, those people make money. It's very hard to find bugs starting out because all of the competition. However if you can find them and prove yourself and get invited into private programs there is way less competition in those. I'm saying that the consensus that is spread is about open Hacker1 Bugcrowd, where there is millions of people and millions of Bots looking over everything the second it goes live, yes it's pretty much impossible to make money like that. But if you manage to get into private programs, or things like SRT there is a ton of work with only the select few invited to do it, that's a completely diffrent thing. As far as how much you make, it's going to come down to work put in, and how good of a reputation you have just like any other Freelance work. The better your reputation, the better work you will get.
Reasonable. Not sure about any percentages, but from what I saw online from medium articles and such it seemed that the average bug hunter wasn't very skilled nor and was just throwing all payloads and tools known to man at pages hoping something sticks. In my opinion that's what a script kiddie would do, not a professional of any kind. Plus the communication skills were.. not good either. Obviously I don't expect everyone to be the same and I'm sure there are very skilled people in the field, but overall I got the impression it has a pretty low entry barrier and thus attracts lower skill people compared to pentesting. If you go for private programs, is it any different? Do you get to meet/work with/learn from skilled people or is it the same "throw random payloads hoping something works at some point"?
Scanned it…. It came across to me that he was disappointed that he didn’t get to play with the fun stuff much…. That’s work though isn’t it? As regards having to do the client facing stuff and support the business… That’s also part of the job.
So you’re basically agreeing - same here.
Not really - my point is that it’s a job and all jobs have shitty parts you don’t enjoy doing . I mean I used to work in a recording studio, I got to hang out with famous people, I had input into songs you hear on the radio, I learnt great skills, I had “other benefits”…. I still had to vacuum the floors, do the accounts, deal with some absolute arsehole clients and even occasionally clean toilets though….
There's a fair amount of stuff that I agree with, but some I don't. Everything is anecdotal and individual experience, but there are some common trends. First off, Penetration Testers -are- in demand, but most companies don't want to pay them what they're worth. This isn't an issue unique to pen testers, but most forms of careers out there. This is because we're umbrella'd under security, and companies view us as money sinks and not money makers, even if we're the ones that allow them to SECURELY make money in the first place and keep it. Getting -in- as a penetration tester is hard. I would say that the author is delineating between what seniors are viewed as and juniors. I have seen plenty of average pen testers not expected to come up with their own TTPs, their own n-days, and various other things. That is what developers are for. There ARE some places where the testers and developers wear the same hat, but those are places you want to AVOID. You're doing the job of two people at that point, likely not getting paid for both jobs, and it's no wonder that you're losing out on your life by working near damn constantly. Additionally, there are contractor and even network penetration tester civilian positions in the public sector that go woefully unfilled that can be an excellent way for people looking to get started with just their certifications. That is how I got my start, but I did laterally move into what I was doing. Good network penetration testers are worth their weight in gold to the companies that understand their value, and you will get paid far beyond what this guy is saying once you get the experience. I consider myself little more than a glorified script kiddie at the end of the day, but I know enough to be dangerous, and I'd be considered a "journeyman" level penetration tester -- but I still get compensated way more than what is being said in this article.
I personally do lots of fun stuff when I conduct pentests and I don’t recognize most of his points. I do think that the concern you need a lot of experience for penetration testing is true. I had years of experience in IT before I started my first pentest. It’s great you have a certificate but I personally think you need to have background knowledge, too. Everyone can run tools, but can you also help your client with decent advice on resolving things, or will you only redirect them to a website?
I ran penetration testing controls at one of the too big to fail banks for 5-6 years. I had lots of success turning software developers into pentesters for the same reasons that you said, it's much more effective at resolving the issues and the conversation between the team is a lot less hostile because the application teams feel they are talking to someone who understands.
Some of the comments are on point - like to advance at a consulting company you need consulting skills more than technical skills. And the harder you work to keep your skills sharp, the better you'll be. Also, the comments around CISOs need to see value. What isn't said in the article is that pentests don't have particularly high value regardless of the level of success. However, people outside security ask about pentests so they have to be done. That's why pentests are so cheap and fixed price. Functionally, pentests either succeed or fail. If they fail, they have proven that that person can't get into the asset at that particular time. Another person at the same company may well be successful, but who knows. A new vulnerability may be discovered the next day making the pen test results irrelevant. So the asset is safe from 1 tester until something changes. If they succeed, there is limited value in that there's 1-2 kill chains that need to be broken. Most enterprise security organizations have many more places where they can put money in terms of validation and security posture improvement/risk reduction, but they are forced via external means to do pentesting. Because that's the word non-security people know. As to staying a pentester or not - it's the usual: do you like your job, and do you get paid enough to do the things you want to do when you're not at your job? If AND = 1, then sure. It'll be around for a while.
>A new vulnerability may be discovered the next day making the pen test results irrelevant. Had the case recently with Ivanti, between the report and the final meeting, the CVE went public.
If you like the work and can do the actual job well, it's a decent way of making a living. But if you're primarily interested in making more money, security engineering and sales roles will make a lot more money.
I think the reason behind the lower pay is because pen-testing is something you don’t have to have 24/7, it is just a once in a while task. Where on the other hand, blue teams need to be always active. So from a risk point of view, blue team folks are considered much more valuable as a control to be in place and that’s why they are paid more. Just a thought
Sorry, but that’s just not true. There are many consultancies, which only focus on pentesting for their clients.
Well, this feels clickbaity but it really depends on what you want and what you make of it. I think the initial appeal and the reality of day one might be in part explained by some part of the dunning-kruger effect. When your shell flops on an active connection it might be less glam than you imagined. Obv I’m not on red but a lot of the frustration I see over there when working with blue is that blue is much much slower than red, both in an exercise and on the roadmap. And sometimes a gap you find and expose gets filed away and never fixed. As for pen test, some say every engagement its the same, they bring the same kill chain more or less, some minor tweaks, and then write up the same report. Blue has plenty of problems, mind you. It’s Always greener on the other side maybe?
Don't forget that a pen test is also a great opportunity to check the effectiveness of your EDR / SIEM / IPS. Do a forensics tabletop immediately following the test and see if you can find any breadcrumbs or your protection identified a threat.
Only read the engagements part. I heavily disagree with him (as an internal red teamer) About dropping EXE’s - you can drop files whenever where ever if needed Using Powershell - I would avoid using powershell altogether.. he should be doing stuff in memory anyways. Using AV killers - never needed to use it, but it’s definitely not off the table. Touching prod - he’s right you can’t go breaking shit in prod & so it’s best to stay away from risky moves. EDR Reality - it is extremely difficult to know how to bypass EDR without having one you can test with. So he’s right in that EDR is getting harder to bypass and requires more resources develop solutions to bypass it.
> "The market is not hot for people that turn off Real Time Protection to run their MSF payload." hearty kek
Strongly disagree to many of the objections raised in this article. First off, lol: > The market is also hot for web app people. Why? Because if you’re worth a shit at web apps you’re doing bug bounty and making 4–5 times what a consulting firm is willing to offer. Clearly this person has never done bug bounties. They also don't know the pay ranges of cybersecurity consulting. Take this post with a grain of salt, especially because they are not a pentester in practice.
> Is it wiser today to be a blue teamer and find a right spot in a good company? Generally speaking, I think blue team has always been where the money and careers are at. Yes there are some rockstar red teamers who get to do some crazy things an d make a lot of money, but at the end of the day, a business is more focused on building up it's infrastructure rather than testing it for flaws. You cannot scale your business to a million users without paying for a sys or cloud admin to help you. You can scale your business to a million users and never pay for a red team engagement. There may be some risks, but you can do it. Yes, testing for flaws is obviously an important part of building and scaling up, but it's more easily waylaid than the blue teams main focus of building a functioning network that enables the business to operate. That importance to the core of the businesses operations and ability to generate revenue is why blue team jobs pay so much more than red team. Because they can easily and reliably tie a dollar value to not having a blue team role filled, whereas a vacant red team role, ehhh??? I mean, our engineers are pretty top notch, they have good security policies in place, maybe not perfect but good enough. What are the chances of actually having a breach? Do we really need to pay 250K for a red teamer? Part of why red team is so prominent in the industry is because they are the cowboys. They get to do the cool fun stuff, whereas the sys admins are kinda seen like the boring accountants of the industry.
Interesting to see the tide shift for offensive security folks. A lot of it sounds true. If you are pure exploit finder, the tech stacks are growing out from underneath you at a pace that's hard to keep up with even superficially. Sensible dev defaults are becoming ... well, the default, ... so expect systems to be harder to crack out of the box. Add to that you will see extremely stiff competition from generative AI and I fully expect that Neuromancer-style icebreakers will pop into existence over the next few years. - Earning a living from bug bounties is so far out of the realm of what's possible, it's not even funny as a light-hearted strawman. Sure, if you're living in a low cost of living country and farm your own potatoes to survive, of course you could make it. But in the global north, forget about it. - Run-of-the-mill security people aren't compensated well, because they lack skills. It's 2024, so yes, you should be intimately familiar with a bunch of tech stacks. Dude, when high school grads have more dev experience than you, you should look inward. - The fact that you haven't found anything is extremely valuable, but only when you tell me what your testing methodology was and how you used the tools. If you let me peek into your skillset and give my people a learning opportunity, your services are worth more to me. - If you can't stick to your rules of engagement, and complain about it, again: you need to look inward. - If you are a freelancer, isn't it expected that you spend 50% of your time improving your skillset, taking the courses and getting the certs? Of course folks are asking for the cert, it's the cyber sec equivalent to asking for a college diploma or a master? Is the author expecting that "trust me, bro" is going to convince folks of his skills in a competitive market?
Half of this article sounds like complaining that he had to be a big boy and go to meetings and do client work, instead of sitting around like a 90s hacker doing all the kewl stuff. And the other half is him complaining that PenTesters are expected to be able to do all the kewl stuff and he couldn't.
Many companies only test to meet compliance and insurance. So they usually go to a big-box shop like ones that start with an O. These shops are usually staffed by a lot of inexperienced paper tigers whose job is to slap a phone book of vulns on the corprate meeting table. This is what drags the pay down. I only use small shops with experienced pentesters to test specific TTP's and areas of the enterprise, and as a result, we pay a premium for it. I also know that with experience, they're more likely to not tip something over. You want quality, you have to pay for it, which is exactly how it should be. The companies that hire low-dough are also the ones to have tests that are photocopies of prior years.
I think part of the problem is that pen-testing is seen as a "regulatory check-box" thing. A huge number of organizations don't actually want to pen-test, and ignore most of the results. The result is that it's seen as a paperwork job, which explains the low pay rates and "commodity position" thinking. If organizations used pen-testing correctly - to identify issues and discover remediation/mitigation methodologies - things might be going better in that area of the market.
Glad someone finally said the part about the OSCP and jumping into the market. Those days are now over
The thing about getting into pentesting is that for your first role, you are most likely going to be working for a consultancy. Larger consultancies have a lot of churn, and this really makes or breaks a lot of people. There are a lot of pentests that are done purely as a checkbox, and beginner pentesters often get shafted with them. I think it's a lot different when you are working internally for a specific org within a larger cybersecurity function, which tends to be a lot less soul crushing. Even better if you're in Security Engineering imo.
I absolutely love being a pentester as a consultant, always new challenges. If you get to a place where you work for a really good firm, you'll probably be very happy with the role. The really good firms often charge more too, letting you make more money. I make more money doing this than any other role I've had.
This article sounds like someone who didn’t really know what the job entailed and comes across bitter at an industry because it’s not wheat he thought it would be. I do agree there are bad consulting companies and bad pentesters. There is a reason a reputable, good company costs money. I do agree the entry level position idea is a bit misleading. I also think HR and job recruiters don’t actually understand what is needed and job descriptions are laughable. However, you don’t need 10 years experience and all that other stuff. If you get into cyber security because you think every position is high paying and you’re in it to make money then you’re in it for the wrong reason. Security jobs and IT jobs will burn you out if you’re just in it for the pay day. Lastly, the fact the article is peppered with statements about not knowing certain things and being new to this, I’m not sure how that qualifies anyone to talk about how someone shouldn’t be a pen tester. What I tell people that ask me is find your passion, find out what you love doing then go pursue that. This article sounds like someone who thought security was cool and had a bad experience with a bad firm and decided this is how the industry is. So, they went back to being an admin because they could make more money.
**"On a side note, have you noticed how many “training” sites there are now? It’s almost like people are making more money teaching hacking than actually doing it. Everytime I turn around I see a new EDR evasion, Malware Dev, REAL HACKER training course popping up. Strange huh?"** Because there is not enough decently paying jobs for these roles. Why create a YouTube channel based on what you do in your day-to-day when you can sell someone a dream lol. I saw a young women selling a DevOps bootcamp for 2-3k and you cant even keep the material the other day. If you want training, either go with THM or HTB. Everything else just seems like noise at this point. TCM is also a good option based on the support you get.
Dont they basically just run a stolen copy of Acunetix against your website and then try to phish/social engineer your janitor?
The story isn’t funny anymore after you heard it a zillion times.
I'm skeptical. They say AI will solve cybersecurity in the next 10 years at least to the point where most technology companies drop pen testing entirely... and then they go on to imply that AI is the reason for the tech layoffs which have happened in the last few years! This person seems to have technical chops but also a foundational misunderstanding about the trends in the industry. Maybe it's just lack of experience, but I wouldn't put much stock in their conclusions about the industry overall. Hacking as a job is very different from hacking in your spare time, or as part of a training course... Agreed, of course, how could it not be. AI will replace appsec, AI is the reason for mass layoffs post covid... simply not correct.
I would say saturated, but not overrated. We need team red, but most jobs are in team blue.
Seek out red teams who have testers that are former blue teamers. It’s hard to begin a career in pentesting without really ever working with the platforms you are testing.
Pentest is overrated as far as careers go. If you love doing it, that's great. Just understand that there are a WHOLE LOT MORE blue team/defensive jobs out there than red teams. There is so much more to security than pentest. Pentest is a tiny fraction of it. But it's what get all of the sexy scenes in movies so everyone wants to do it. I've worked for a lot of companies including some big names you would know and none of them employed their own red team. On the very rare occasions that they did need a red team (a couple of weeks every couple of years, typically) they would contract it out to one of the relatively few red team contractor companies out there. And you have to be constantly up on the technology. Constantly learning. There's always new stuff coming down the pipe. Are you really going to be doing this for your whole career? Probably not. But you can't all go on to be managers or run your own pentest company. So think about the future too. Burnout is real.
Just like a lot of other stuff in life, you gotta eat some veggies to get dessert. This guy didn't want to eat his veggies, and now wants to take other people with him. Skill issue.
Our company specifically employs third party because those guys tend to be exposed to more “tricks” than internal guys since they work on multiple unknown networks. Food for thought
We used third party testers for years, the same firm, but new operators every time. We wanted the best simulation of skilled adversaries so we let them go to town with few rules. Don't break anything, and let us know before an exploit was executed, otherwise take the gloves off and go for it. They loved us and we got great tests, any serious findings were taken care of in days, if not hours.
Whoever wrote that seems like a tryhard crybaby. There is always a market for good pentesters. Some people are better or worse than others, and the same goes for companies. At the end of the day, like everything else, it comes down to proper scoping and execution. I get tremendous value from my third party pentesters.
The problem now is: There are third-party solutions to handle that where you don't "need" a full-time position allocated, as far as many companies are concerned. Not saying that is right, but companies love to cut cost and if they see an alternative, they will. I say this as a company that offers these types of solutions as an add-on to our risk management solution. It was originally geared towards smaller companies that could not afford a full-time employee for the job. What we have found is the large clients wanted it as well. Personally, I think companies should have an internal expert and use the third parties as a validation.
There's a few good points in there but.... It just sounds to me the dude got sold a dream, and was very disappointed that his expectations didn't match reality.
Like every other job, it is dependent on the company that you work for; pay, work-life balance, interesting systems to test on, etc. I would actually argue that blue team is more stressful and deserves higher pay. This is coming from a pentester and red teamer.
I read the short article. Was this some sort of special-needs camp or camp for troubled youngsters? Why would they have to put an alarm device on the bivy to prevent the child from opening it? In what world would that type of device even need to be used or kept on hand??
This article just seems like a pen tester hit piece for someone who couldn't cut it or wanted more money than he was worth. Like everything, your experience depends on where you work, we were strictly 8-4, M-F and we were doing 10+ concurrent external pen tests in a 4 week period. If you wanted to set-up servers or payloads after hours you could, but we weren't expected to. For the teaching a course thing, there are plenty of free resources out there to learn a ton. Black Hills Info Sec's youtube channel has awesome courses where you can learn a lot. With AI on the horizon, I think pen testing may be on the wayside for everyone aside from the goat's who craft zero-days in their sleep. Companies are also notoriously cheap, so if someone can craft some auto "pen testing" tool that tests monthly, they will choose that over calling a firm in once a year. We are already seeing that from our bigger client, they want a continuous monitoring solution as opposed to the once a year testing they were doing. I think we have a good 5-10 years before this happens, but we are already pivoting for this scenario by pivoting into other security related services and not focusing so much on the pen testing services.
This guy is how black hats get born I fear for anyone who employs him
Yes!
There are probably only 10-20 companies worldwide that do it properly and that you'd actually want to work for in this particular niche. To find them you just need to see who's actually putting out novel research - mdsec, trustedsec, specterops and the like. The rest just pump out reports, hire unskilled guys and spend zero on R&D. These guys are still probably able to complete objectives in immature environments despite the increasing barriers to entry and that's the clientele they target. IMO the guy is way off when he says you need 10 years of experience, CVEs etc. Seen plenty of people in pentesting roles that don't have any of these and that frankly probably struggle with easy HTB boxes. He's right about people that are really good in this space making more money outside of the 9-5, many are doing both though, it's often complementary. If you're not a moron you just do the bare minimum in the 9-5, get a work from home job, and use whatever time you have on the side gig. But certainly wouldn't go into it with the idea that you're actually making any difference. Execs could not care less about this stuff. Understand their incentives, they only care about their bottom line. Problem with the guy who wrote that blog is he cares way too much. Fuck the client and fuck your own company. You're there to get paid, collect and that's it. But yes consulting is shit and all consultancies gives a shit about is billable hours, nothing else matters. If you want a relaxing job avoid consultancies at all costs and get some internal cloud admin/architect type of job. Without a doubt to have deep expertise in this field requires an insane amount of knowledge. But you don't need to know it all, no one does. Don't know what he's talking about by having to memorize syntax, no one does that. Cheat sheets exist for a reason. As for all the rules of engagement restrictions, just gotta be more creative. A lot of low-tech stuff still works. 95% of breaches are carried out by absolute noobs using TTPs that should have got them flagged 10 years ago but they're still working. Yeah EDR making things harder but that just means post exploitation workflows are changing, there are alternatives to dropping tools on disk or needing local code execution. I think the guy's issue is he's thinking he's gotta go all mission impossible on some mom & pop type operations. Most environments should still be a piece of cake to own for anyone with a modicum of skill even without access to next-gen implants, red team infrastructure, ci/cd pipelines, 0days, bleeding edge TTPs etc.
And Cyber Security Policy is underrated, extremely excruciatingly painful, and well paid.
TLDR If you want to be a Penetration Tester, you need to be intimately familiar with the technologies you work with. You’ll also probably take a pay cut if you are a 20 yr Sys Admin working for a Fortune 100 and get a job as an entry level tester. That is like saying “water is wet” and should be no surprise that their payloads have to constantly be updated to bypass AV and EDR. Also, you may be able to break over $120k in a given year on bug bounties but you cannot guarantee to consistently have that level of income.
It’s not going to pad your resume but it’s good if your company has an internal red team and you want to get on that team
I have done OSEP, OSDA, OSWA & OSCP alongside CeH. I was into IT, pivoted to audio engineering, and now trying to get back into IT after 3 years of gap. I thought I would end up landing one decent job, but after reading this, it feels like I have made a mistake of my lifetime. Is that the reason I was unable to land any interviews at all, despite applying for more than 100 companies? If anyone can help me with this, please do! Appreciate all the help I can get! 🙏🏻
Cyber careers got killed by inability of system to produce quality schooled professionals to match the demand. As we have a pano at the entrance "Security is always considered as unnecessary expense until a breach happens" - tells a lot. My suggestion is that you need to go through whole "process flow". Work as support agent. Work as developer. Work as System Administrator. Network Engineer. Work as a team lead. Work as a project manager coordinating devs, sysadmins, and customers. Finally get some experience as CTO. Trust me, you will eat alive all these "guys with certificates heavier than they can carry." You will "learn how to learn what you need quickly with resources you have at the time" - and that's the definition of hacking. What should be legally banned is issuing "Certified hacker" certificates or similar oxymorons.
no
Love this, very honest look into the market. Happy I didn’t put all my eggs into pen test since I’m sure I would still be searching for a job. Always keep your avenues open. If you really want to do pen test, do bug bounty on your own time.
blogger revealed hidden truths. Totally agree 💯
Overrated? Never. Disappointing? Absolutely. This is all my opinion because I'm not a technical person and this might or might not ruffle feathers. I'm just really good at finding vulnerable targets and take the "pwn once to own" mantra very seriously. (A free tip: old, uber-rich people like the ~1,300 billionaires and ~30,000 centi-millionaires hanging around have expensive hobbies and most of those hobbies are supplied by small businesses with extremely poor security around their financial information. Take that for what you will.) Pentesting and redteaming have no existence outside of crime, compliance, DoD/government, and is rarely budgeted for by non-essential businesses. It's just a sad reality of life where consultants recommend paying ransomware gangs over securing infrastructure, turning a blind eye to state actors, and suing the shit out of anyone who tries to do a good deed. It also seems like most people who want to get into pentesting just want a fun and exciting career that they can invest their entire life into....... between 9-5am Mon-Fri and expect salaries exceeding 200k. Nobody wants to talk about scraping 60k a year getting up at 1am to trip alarms until the police/security gets bored and stops checking the perimeter. Nobody wants to talk about the mound of paperwork you need to fill out at 6:00am to turn in at 9:00am. Nobody wants to talk about the contractual and statutory legal risks whenever an event is scheduled. Nobody ever wants to talk about the actual work-life balance that's forfeited. Nobody wants to talk about insurance liabilities: who here can explain what Errors and Omissions coverage is? What would you do if you're accused of malfeasance and sued? C-suits are very irrational like that. What happens when you do an oopsie and the FBI is breathing down your neck? What about when you get into DoD work? That's an ocean within an already-murky ocean of compliance with the proverbial "barons" that you'll be playing devil's advocate against. What about when you're target #1 for state actors like China, Korea, and Russia? Germany? Israel? Next is the actual skillset. Most people in IT tend to function within the spectrum. You have to have the charisma to function, at bare minimum, within a team. Nobody has time to deal with some blowhard sniffing their piss all day. Outside of that, you're working with very sensitive clients and stakeholders as a consultant or business partner. You need to be as suave as James Bond and as ruthless as Steve Jobs. Any technical aptitude is always secondary to having people skills unless you're a one-in-a-million Mitnick and the CIA wants you. And as the article stated, you need to be bringing home the bacon. I've mentioned this before, but redteaming and pentesting more of a way of life, not a white-collar career. It's the digital equivalent of a 11b/03xx, and you're not signing up to go home at 1900. Blueteaming will always be more appealing because: *Lower barrier of entry *Stable schedule *You're not liable to be sued/physically harmed *Faster career progression *Generally a larger pool of career paths and advancements *Generally a stable job that will always be around *You're only really dealing with your boss/supervisor *Once you get experience, you can pretty much apply anywhere
incoherent cosplayer jibberish
I'm a nobody and claim as such because I really am a nobody who does freelance work, but I still stand by my opinion even in spite of the Reddit hivemind. I'm also humble enough to accept correction, so if you feel like I have been way out of line, I would like to read why and correct myself.
The market isn't good. Companies don't want to spend extra money on "extra" items that isn't specified in regulations. If they want a yearly pentest, maybe find some consultant to sign a vulnerability report
Good read. Thanks for sharing.