I’ve been answering questions about penetration tester jobs for over 20 years now. During that time I have been a penetration tester, and a Director of a penetration testing company. These days I head up the penetration testing team at a well-known Manchester-based cyber security company. I’ve interviewed, rejected, hired (and on occasion, fired) penetration testers and have mentored and guided many others.

I suppose that gives me some insight into what the job requires. Or at least, what I’ve always needed from a penetration tester working on my team.

Much has been written about qualifications and experience, and that’s fine. Although a focus on academic qualifications alone really does miss the point. There are many attributes a penetration tester requires in order to be effective, and many of these are actually personal characteristics rather than paper qualifications.

As I write this, I think of the most talented testers I’ve had (and have) the good fortune to work with, and their backgrounds really are eclectic.

At this point I imagine you want me to talk about all of the qualities needed to get the job. Unfortunately for you Dear Reader, thinking and acting like everyone expects you to is not a quality that successful penetration testers exhibit. Instead I’ll recall (anonymously) some occasions where it was clear to me that the individual really would not be happy in the role.

The ‘tell me exactly what I need to do’ candidate

During this interview, the candidate repeatedly wanted to know a very specific list of the things he needed to tick off to get a penetration testing job. I tried to explain that it really doesn’t work like that, and life just doesn’t consist of a check-list, with a guaranteed outcome. We agreed to disagree. Next candidate please.

The ‘show me the money’ candidate

Let’s be honest, the pay for many penetration testing jobs is decent. Demand is high, and supply is low. This does tend to attract people who like money more than perhaps they should. There’s nothing wrong with chasing money, but if you’re trying to get into the industry, at least pretend to actually be interested in the detail of the job. If nothing else, penetration testing jobs are detail jobs.

The ‘I can bring you loads of new clients’ candidate

How or why would you do that? Isn’t that a sales and marketing job? Never going to happen. Next please.

The ‘never mind the quality, check out my certs’ candidate

Cyber Security Certifications. A whole other blog post in that old chestnut. This is often the candidate who has just got their current employer to pay for a bunch of expensive certs, and is now actively marketing themselves on the back of it. Sometimes it works, and sometimes it’s a red flag to a prospective employer.

The ‘nobody understands how great I am’ candidate

Confidence is a great thing, but I remember one candidate who took every opportunity to let us know that this role, which we’re obviously going to offer him, is only the next step in a what will be a stellar career. In actual fact, he thought we were lucky to have the chance to employ him before he’s snapped up by Nasa, Boston Dynamics or Tesla. I imagine he was on the phone to them shortly after our interview concluded.

Qualities that matter

So I guess you can work out (reverse engineer maybe?) from the above what the qualities of a successful candidate are.

Housekeeping basics

There are other important things too. I’d class these as housekeeping issues. Boring but important.


You have to be super-smart to be a penetration tester

Debatable. It is true to say that I’ve worked with some people who are indeed super-smart and are amazing testers. But I would also add that I’m not super-smart and I’ve managed to have a decent career in the field without a problem.

The fact is that some penetration tester jobs need super-smart people. But if you’re lucky enough to be exceptional, then you don’t need my advice and you’ll probably do well in whatever area you choose. It doesn’t mean there isn’t room for us non-genius people too. Hopefully in this blog I’ve made it clear that there are some personal attributes that will serve you well if you genuinely want to get into the field.

We can’t all be Lionel Messi, Grace Hopper or John Coltrane.

Certifications are the route to success

Not in my experience. Although the Cyber Security industry is littered with them, I would humbly suggest that many of them are little more than tick-box certs. If you’re considering investing in a course & exam programme, I would suggest you confirm that:

You need a degree to even apply for penetration testing jobs

Some companies may indeed specify this, but this is changing rapidly. The demand for cyber skills has made many companies realise that they need to be more creative and open-minded in recruiting. This is a welcome change, and not before time. Many of the brightest and most talented people I’ve ever worked with have unrelated or no academic backgrounds. Do not let a lack of academic experience put you off.

I don’t need a degree? I’m quitting my course right now

That’s up to you of course, but consider your actions carefully.

Penetration testing is mostly about retained knowledge

Absolutely not true. Penetration testing jobs are quite skill-based. Sure, you need to know stuff, but you also need to develop skills through practice. This is why I value practical experience and attitude very highly.

The Cyber Security Industry is basically all about penetration testing

Massively untrue. The industry continues to evolve and new markets, products, services and roles are opening up all the time. I’m talking about penetration testing jobs in this post, but the industry and indeed the emerging profession is much larger. I should write another post on that topic.

So there you go. The field is open, and there is opportunity even if it feels inaccessible at first. With perseverance and a little luck, you’ll get there.