How Do I Become A Penetration Tester/ Ethical Hacker? We Ask The Experts!

How Do I Become A Penetration Tester/ Ethical Hacker? We Ask The Experts!

Henry Dalziel | Information Security Careers | September 11, 2016


What is this post about?

Time to read: 20 mins

We are often asked by students “How Do I Become An Ethical Hacker”; or “How Do I Become A Penetration Tester” – so, we thought, rather than re-invent the wheel and regurgitate the same reply it would be better to ask existing Penetration Testers working in the field for their opinions and advice on how to get started in the Pentesting (Cybersecurity) Industry. There’s no doubt: the job cybersecurity market is booming and it expected to grow from $75 billion in 2015 to $170 billion by 2020. A career in the industry can mean a very good salary, job security, and the potential for upward career growth. A Penetration Tester can be a fun and highly fulfilling role within Cyber but of course, like everything else in life, it can have challenges.

More than 210,000 cybersecurity jobs in the U.S. are unfilled, and cyber job postings are up 74 percent over the past five years, according to a 2015 study by the Bureau of Labor Statistics; but the question remains on “How To Get Started in Cybersecurity!”

In this post we ask current Professional Penetration Testers working in the field how they become professional hackers. (We really appreciate the time that you have taken to write your answers. Also, please note that if English is not your first language we will edit the grammar and spelling of your answers for you).


What will you learn from this post?

  • You MUST have a passion for it (‘hacking, cybersecurity, pentesting etc’);
  • You MUST learn hacking tools and how best to use them;
  • Certifications are important and do help! CEH, CISSP, Security+, OSCP, C)PTE
  • Tips and Tricks and how to get started

If you are a Pentester or Ethical Hacker please share your advice and expertise by answering two questions on a Google Form:


Take Part In The Interview!


Suleman Malik

[Taken from Suleman’s TED Profile] Suleman Malik is a dedicated and resourceful computer professional with 9+ years extensive learning experience in Cyber Security, Penetration testing, Security researching, recovering and maintaining a diverse range of hardware and software. He is based in Leeds and currently full time student studying Computer Forensic & Security. He is an I.T security professional and has a keen interest in Ethical hacking/Pen-Testing, social engineering, security researching and developing exploits.

How did you become a Penetration Tester?
Ethical computer hacking was my personal interest and i moved into this when i was 12 years old. I have been doing this all since i was a kid. So, I started learning ethical hacking from internet and learned much information about it. I’m still learning [cybersecurity] in-depth. Ethical hacking is not an easy task if you don’t have the knowledge. If you are keen then you have to go into depth to understand its’ layers, networking and how two devices communicate with each other over the Internet and which protocols they use to transfer bit by bit from one device to another; and what are the security issues that are raised while the two devices are in connection. You’ll learn to love it once you understand!

What advice would you give to someone interested in becoming a Penetration Tester?
To become a penetration tester you need to start from independent learning. I would suggest that you start your learning from web application pentesting. It will make you more stronger to understand about client side and server side attack. You will also learn the common web apps vulnerabilities and how to exploit them. There are some pentest virtual machines that are available online and will help you to understand the vulnerabilities and how to exploit those vulnerabilities. The few popular VM machines are Metasploitable, Dojo web, Pentest Lab and Hack Labs. You can download them and start learning from these machines as they are made for beginners. You will find Top 10 Common Web Vulnerabilities from OWASP website. You will also find a lot of detail about bypassing restricted characters using OWASP cheat sheet, (which is managed by a previous Concise Courses Hacker Hotshot: Jim Manico).

So, it’s better to start learning how to hack from Web application pentesting and when you think you are proficient you should move into “Network Hacking” and other areas.

NOTE: You’ll understand more if you have command over PHP, JAVA and HTML.


Justin Keller, C)PTE, ACMT, ACTC

Justin is a Certified Penetration Testing Engineer (CPTE), Apple Certified Technical Coordinator, Apple Certified Macintosh Technician, Hurricane Electric IPv6 Certified Sage.

How did you become a Penetration Tester?
I’ve always liked computers and learning. I was online, one day, and I started reading about the requirements, which include in depth knowledge of systems. I decided I wanted to get that in depth knowledge and pen testing was the best way to apply it.

What advice would you give to someone interested in becoming a Penetration Tester? Buy textbooks, and read them. Buy certification guides, even if you don’t plan on taking the he certification. The guides provide questions which you can use to gauge your understanding. Get training either online or in person from a trusted source. Finally, when ready, get certified. I recommend C)PTE, C)PTC, and CEH


Nijat Taghiyev, OSCP

IT Security Specialist, Azerbaijan

How did you become a Penetration Tester?
I’ve started by reading some articles, books, forums, and taking a PWK course (Penetration Testing with Kali Linux)

What advice would you give to someone interested in becoming a Penetration Tester?
Practice, reading books, blogs


How did you become a Penetration Tester?
After years of dedication and showing my knowledge, I was able to land a job doing what I loved. It has to be a passion, it has to be something that you start in your spare time as a hobby. Nobody just becomes a penetration tester overnight. It was always a hobby until it became a satisfying career.

What advice would you give to someone interested in becoming a Penetration Tester?
Penetration testing is a hot market. Security in general is in demand, especially now more than ever. It is saturated however with a bunch of people who also want to a legit penetration tester. You really need to have the passion for it. You need to be able to put something on your resume/CV that stands you out from others. This doesn’t mean a bachelors degree in computer science. It doesn’t mean a CISSP that you have. Do you have a security blog, are you active on any security forums, are you working on any projects on your own using github or bitbucket, have you participated in any CTF’s?

Are you participating in your local hacker groups? You need to get yourself involved in the security community. You need to become a member of that community and surround yourself with people that have the same passion. With anything else, there will be times where you might step away, or want to give up but you have to keep on and put in the time. You will be rewarded someday for your passion. This is an art. It is a skill. This takes time to learn, it can be a lifelong journey if you let it. You should never stop learning, get well rounded and pick a subject in security that you find yourself liking just a tiny bit more. If web applications interest you, if network LAN based pentests interest you, reverse engineering, crypto, whatever it is, there are many parts to this area. Find one that you can specialize in. Become that go to person for that skill. We do not have the years to master all of it, get well rounded, but have a specialty. You can apply this to anything but it is true: find something that interests you, become good at it, then become great at it, and then become a master of it. As a legend once said: "A boy comes to me with a spark of interest, I feed the spark and it becomes a flame. I feed the flame and it becomes a fire. I feed the fire and it becomes a roaring blaze."


Choudhary Muhammad Osama

Penetration Tester and Application Security Researcher

How did you become a Penetration Tester?

Well, from my childhood I had been enthusiastic about Information Security; if you are requesting about the serious part, however, it’s been around five years. I was a teenager going to cybercafes and everything commenced there, I was mpressed by the things the fellas were doing and I simply fell deeply in love with hacking. It was that much much easier to attain goals, hacking into machines, stealing information, pictures and a total whole lot of fun. I went into other activities then, some “professional work”.

What advice would you give to someone interested in becoming a Penetration Tester?
Love learning! In the event that you cringe at the very thought of needing to quickly learn a fresh skill, operating systems, program syntax, or strike strategy, you might feel overwhelmed, however, there is hope! Take what you do love, find out improved ways to secure it in a business feasible way, and work for the “Red Teams” out there that frantically need more security-minded people as well. [You can contact me anytime]

  • Concise Courses
  • Offensive Security Metasploit Unleashed
  • OWASP
  • DVWA
  • "..YOUR FULLY CONCENTRATED MIND.."

Razvan Gabriel Coman

Penetration Testing Advisor at Dell SecureWorks (offering services such as Penetration Testing to Fortune 500 Healthcare customers).

How did you become a Penetration Tester?
I can say I’ve wanted to do this since high-school, but it took a BSc, a MSc and 5 years of working in several IT Security roles before moving into a Penetration Testing position.

What advice would you give to someone interested in becoming a Penetration Tester?
Try to enter a hacker’s mindset. Security is everywhere around, not just in computers, always think out of the box and how you can bypass restrictions. Learn something new every day. Learn some Cryptography principles. Learn about computer networks and protocols, practice with Wireshark and a network simulator like GNS3. Learn Operating Systems principles, install Linux, try to use it every day. Learn about Web Technologies and Security (HTML, JavaScript, PHP, SQL, OWASP Top 10), analyze vulnerable apps available online with Burp Suite, OWASP ZAP, SQLmap, Firebug, etc. Grab a general purpose programming language, like Python, learn it while working on a small project of your choice. Fire up some vulnerable virtual machines and create a small pentest lab, play with Nmap, Metasploit and other Kali Linux tools. Get into any IT/Security job available, as some things can only be learned on the job. Learn all you can there and when you start doing the same thing every day move to another. Don’t expect over the night results, it’s a long road, requires constant study, but it’s definitely worth it if you’re passionate enough.


Mohamed Tehami

Penetration tester at SCASSI.

How did you become a Penetration Tester?
Well, since i was young i was interested about security and hacking, it was all about curiosity and wanting to learn how things work and how we can change the way they work. It was the main reason i choose a Computer Studies career on the university (now several specialties on information security are available); to learn the basics of all what is related with IT, networks, programming, design etc., and in my part time I liked to have fun doing some tests on my local lab at home, while now there are so many website that offers hacking challenges that are great for a beginner. Taking internships related to security is also important to be a professional pentester but that is not always necessary.

What advice would you give to someone interested in becoming a Penetration Tester?
In order to become a good pentester, you should first have a good knowledge about how things work, network protocol, applications. Because pentesting is not just about using hacking tools (that what we call script kiddies) but it’s about knowing what you’re doing while the tools can help reduce the work for you. After having good basics in IT, you should start reading about security and vulnerabilites and way to exploit them, that’s require patient and curiosity to learn, and also with pentesting you never know every thing because each time you may test a different kind of platfrome with different technologies and you need to find you’re way out to break it, and yet you can’t do that if you don’t know how things really work, so a pentester should be on a constant learning process.


Moataz Moustafa

Ethical Hacker & Penetration Tester

How did you become a Penetration Tester?
When I was 12 years old, I was very interested in the computing world, programming and internet, I wanted to be Android Developer, so in the summer vacation when I was 13, I started to learn to code with Java and Eclipse to gain more experience I started to visit a website called XDA Developers, it was my whole life, I was spending my whole day on this site, learning and gaining experience I then started to learn about Linux, root and open source then I made my first script to root my Huawei phone. I saw security and hacking as a very exciting topic, so I started to read more and more and learn, that was my intro into the field, I started then to take online courses, read articles, proof of concepts and get into online communities, learning Programming, Networks, Linux Administration and Penetration Testing, I started my career as a free-lancer Penetration Tester then I moved on to establish positions in companies.

What advice would you give to someone interested in becoming a Penetration Tester?
Being a Penetration Tester is something requires hard work and motivation, having the passion for the technology and information security is a must, being a penetration tester doesn’t mean someone who know how to write some terminal commands or automate some tools, A penetration tester is someone who have extensive knowledge of how computers, systems and networks work, every penetration tester must master a programming language, learn how networks work and operate, how systems are designed, learn about the internet and information security then it’s time to learn the hacking techniques, the most important thing to master penetration testing is practice so a new penetration tester should prepare vulnerable virtual machines and try to hack them and participate in CTF competitions, one of the best books someone can learn from about hacking vulnerable vm is (kali linux ctf blueprints) also the best website to download such machine is Vulnerable By Design, one last thing that information security is not a static field, you learn new things everyday so you should keep yourself updated everyday, keep practicing, keep gaining new skills and never stop learning.


Mr. OoPpSs

Mr. OoPpSs is a very young Cyber Security And Cyber Crime Investigator. He has been involved in the information technology And Cyber Security field since 6 years. He later pursued his higher studies in the field of Cyber Law and Computer forensic. He holds professional International certifications Like CEH , CPH, CHFI, LPT,CISE ,CEHIE, Certified Information System Security Expert, Internet Cyber Security Expert, Certified Android Development & Forensic Expert, Cloud Computer Application Developer Expert, Certified Cyber Crime Investigator, EnCase Certified Examiner, Certified Computer Forensics Examiner, Cyber Law From Indian Law Institute, MCSE and CCNA Certified, Diploma in Digital Forensic & Cybercrime Investigation, Diploma in Certified Information System Security Expert Forensic etc.

How did you become a Penetration Tester?
Here are some article that I wrote that will help…

How To Become A Hacker: Steps By Step To Pro Hacker
20 Best Ways to become a Better Ethical Hacker.
How to Become a Cyber Security Expert

What advice would you give to someone interested in becoming a Penetration Tester?
A kind request for the welfare of students. Please follow the Ten Commandments in Ethical Hacking Training for Students.

  1. Always Start with Cyber Law, as that will give a clear picture of what and why we go for Ethical Hacking.
  2. Always teach “Ethical Hacking” & not “Hacking”. Many students are behind bars due to improper guidance.
  3. Create awareness on “Ethical Hacking” and the Career prospects of Information Security Field.
  4. Give proper guidance for future studies and international certifications like M.S., M.Tech (Information Security & Cyber Law) or Certifications which will help them.
  5. Always be clear on what can be done / cannot be done, don’t misguide students like “Nobody can catch you / trace you.”
  6. Discuss about how Cyber Cases are solved and motivate them to become an Ethical Hacker & not an Hacker.
  7. Don’t teach illegal things which is against Cyber Law.
  8. Promote the usage of Open source Software and encourage students to learn and code their own tools / Software.
  9. Always Cite the sources of whatever you teach, so that students also will follow you and not copy others material / codes.
  10. Teach them clearly that Ethical Hacking is not a Game & not for Fun. Tell them how important it is and tell them real life scenarios of how it could save a lot of people.

Most Important: Don’t Be Stupid Be Creative In Cyber World, Use Knowledge to Save Yourself & Your Country, Respect your Country’s Cyber Law.

Be proud to be an Indian & Ethical Hacker ! Jai Hind And Love Your Country.


Dimitris Pallis, OSCP

Dimitris is currently a freelancer/self-employed professional who probes for and exploits security vulnerabilities in web-based applications, networks and systems using the resources of bug-bounty/freelancing platforms (Bitdefender Bug Bounty Hall of Fame Bitdefender)

How did you become a Penetration Tester?
It was actually my career plan.I was always curious about how computers work and was fascinated about how they interact with each other.Breaking the rules was even more exciting (being always a “white hat” ofcourse) so why not get paid for it? I made a huge research online on tools and techniques that are used by pen-testers so I was 100% self-taught which was hard at the beginning but it’s still the best way to learn. When I was comfortable enough with the Kali Linux operating system and it’s tools I opted for one of the hardest certifications in the Security industry and in IT in general, the OSCP. Then I was officially a professional penetration tester and confident enough to apply for such positions.

What advice would you give to someone interested in becoming a Penetration Tester?
Regarding soft skills I would advise him/ her to have determination, patience,p assion about hacking and the ability to explain technical stuff to non-technical personnel. It may sound cliche but you won’t survive without them. On the technical side I would advise someone to be comfortable with the Kali Linux OS, refresh his knowledge on computer networks and security concepts. There are a lot of free courses online so it would be beneficial to check them out. When you feel confident enough you can also download vulnerable machines and try to get root! On academic level there is not yet a bachelor or master that can (even) prepare you to become a penetration tester. Even degrees on security will teach you outdated stuff in most cases and will not cover penetration testing in depth.If you want to start sending resumes for junior pen-testing positions I would definitely suggest to sign-up for the Offensive Security Certified Professional certification.


Alfonso Garcia Alguacil

Alfonso is a Penetration Tester at Cisco

How did you become a Penetration Tester?
This was in my career plan from the beginning, even before of my first security related job.

What advice would you give to someone interested in becoming a Penetration Tester?
I would say that once you have a good knowledge base in programming, networking, and operative systems the best is to play CTFs. Playing CTFs will open your brain and you will start to think about how to break software, and also you will learn to learn by yourself, looking for documentation about the technologies implied in each challenge, looking for similar vulnerabilities discovered in the past, etc. And the most important part, it is very funny!


How did you become a Penetration Tester?
It was something i started as a hobby, then proceeded to being professional

What advice would you give to someone interested in becoming a Penetration Tester?
There are vast and majority of resources you can learn from both online and from real people. If you have an issue/problem dont back down, keep at it.


Suraj Rajkumar Waghmare

Suraj is a Security Analyst at Jainam Technologies Pvt Ltd

How did you become a Penetration Tester?
I was driven by incident.

What advice would you give to someone interested in becoming a Penetration Tester?
Gain knowledge.


Ranjan Kathuria

Ranjan is a Security Engineer at NestAway Technologies Pvt Ltd

How did you become a Penetration Tester?
I started moving in to security domain after a guy in our college hacked a Facebook by a keylogger. It was a seminar and I paid Rs 500 to attend that seminar and later I thought how easy is for these script kiddies to fool people, after this I decided to solely move in to this domain. Later I managed to be at #1 on Quora Bug Bounty.

What advice would you give to someone interested in becoming a Penetration Tester?
Don’t search on Google :- "How to hack facebook".


Mohamed Magdy Hassan

Mohamed has experience with ethical hacking, penetration testing and vulnerability assessments and security code auditing. Aside from having good knowledge in programming languages (C , PHP, Java, JavaScript…) & scripting languages (such as Bash, Python, Ruby) he is also the technical lead at “InfoSec Elities”, which is an information security community in Riyadh, Saudi Arabia.

How did you become a Penetration Tester?
I started my journey working as a security engineer. I worked on Firewall, IPs, Web Gateway, Anti-virus, Advanced Threat, etc.. During that I learned about networking and Windows systems. After that I started with web penetration testing, since I was a web developer originally, by taking an eWAPT certificate. After that I started working as a web penetration tester. During that, I was studying for my OSCP until I finally got it.

What advice would you give to someone interested in becoming a Penetration Tester?
To become a successful penetration tester, you need to understand 2 topics, Networking and Systems (Windows/Linux). After that it depends on your goal. If you are planning on web penetration testing, I recommend eWPT certificate and participating on the bug bounty programs. If you are planning on infrastructure penetration testing, I recommend eCPPT and/or OSCP certificates and participating on CTFs. Some general tools that will help you are: Nikto, Nmap, Metasploit, Ettercap, John The Ripper, Wireshark, Burp Suite, Sqlmap, BeEF and Hydra.


Chaitanya Bobhate

Being a Patriotic person, I always craved to work for my Nation as a Cyber Security and in Information Security Field and this is one of the field that I craved for.

How did you become a Penetration Tester?
In this growing technical world, everything is digitized and so parallel that security comes in picture and every organization focused on their system security; you need to secure your confidential data from intruders. Penetration tester probes for and exploits and security vulnerabilities that will simulate real-life cyber attacks and your ultimate aim is to help an organization improve its security posture. Penetration testing is a "cool kid" job, but it is also a personal interest of mine; hacking is my passion, this is a challenging career and you need to brainstorm to complete your tasks. To pursue my passion at a professional level I have pursued a Penetration Testing certification and also completed the CEH (Certified Ethical Hacker). I am also preparing for the OSCP certification, to level up my knowledge in my domain.

What advice would you give to someone interested in becoming a Penetration Tester?
From my knowledge of understanding the important things in the penetration testing field is that one should have lots of patience with passion and need to be updated on technologies. One should be a self learner, and self motivator and should know the knowledge of Networking, Operating systems, Data base and basic knowledge of Programming.


Omar Ahmed

Omar is a Penetration Tester with 6 years of experience in web application & Network Penetration Testing, and Incident Response. Conducted vulnerability assessment and penetration testing for many high profile companies all over Middle East, Highly skilled hands-on application security assessment and development of security tools with deep understanding of vulnerability management process and risk assessment. Involved in security challenges by joining online CTFs.

How did you become a Penetration Tester?
Actually, It was something I started as a hobby, but I was always curious about how computer works. When I was young, I didn’t have a lot of friends, I spent my days learning about computers and how I can do this, and how to do that. After that, I found the right path to understand Penetration Testing and I read a lot of books about Information Security and Penetration Testing. I started writing about Penetration Testing in technical blogs, and learned a lot by that because every topic I talked about I had to also research. Learning by doing and learning by teaching: that’s how I became a penetration tester.

What advice would you give to someone interested in becoming a Penetration Tester?
The most important thing, is Penetration Testing is not about hacker (pentesting) tools; mastering certain tools will not make you a Penetration Testing. Relying on automated tools will just make you a tool’s slave. What you really need to know is how these tools works, and how you can write your own tools even if there is a tool doing the same thing already, just try to write a tool to do that thing too because in that phase you really need to know the right path to Penetration Testing. You have to understand how to do things manually, after that you are ready to save time by using automated tools. If there is a two carpenters both of them use the same tools, but one of them is good and the other is not, Why is that? It’s because the good one understood that tools doesn’t make you what you are, it’s just tools to reach your purpose and help you with your work.


Aaron Herndon

With a Bachelors of Science in Computer Science and extensive coursework in IT Security, including completion of my Offensive Security Certified Professional (OSCP) certification, my primary focus resides with assisting organizations in testing their security controls, assessing procedural gaps, and providing a road map for improvement. Experience with penetration testing, social engineering, and physical security allows me to provide a “full stack” assessment for organizations. Outside of work I enjoy researching new security exploits and testing them in a personal sand boxed environment. When I am not at a computer, I can be found outdoors back packing, rock climbing, and playing in recreational softball and volleyball leagues.

How did you become a Penetration Tester?
In my junior and senior years of high school I was presented with the opportunity to take dual enrollment courses at a local university (and go for my Net+ and A+ certs). While taking these courses, the professor acted as my mentor and introduced me into ethical hacking. My senior year I took up an internship under him, learning basic security concepts in both defense and attack. One thing I learned was that pen testing would require knowledge in a diverse amount of technologies, and being some what of a jack of all traits when it comes to computing. Therefore I went to college for a BS in Computer Science, and heavily specialized my coursework in security. No college degree, in my opinion, provides a wide enough breadth of information and experience to immediately become a penetration tester. Outside of coursework, one truly needs to understand how a corporate environment functions, such as business processes and system administration. Therefore I took an internship (which led to a job) as a *nix sysadmin. My primary job role was to manage *nix environments, automate deployments, and build out security hardening standards for RedHat/ AIX. I also took an opportunity to work with Internal Audit for 3 months on evaluating a global technology deployment within the company. This opportunity led to my understanding of the ‘auditing’ process (different from pen testing, but still helpful to understand threat modeling and risk assessments). In search of getting more security in my role now that I understood how environments functioned, I took a job as a Cyber Security Analyst with a financial institution, with job tasks ranging from threat modeling, risk assessments, deploying security solutions, speaking to the business about security, and also conducting pen tests. My defining moment which moved me into pen testing was passing the OSCP certification test (PWK course). This course provided a plethora of information and hands on experience, and gave me the understanding and knowledge to join as an entry level pen tester at Rapid7.

TL;DR – I knew pen testing was my ultimate career objective, and I took on multiple job roles and learning opportunities to gain a breadth of knowledge in computing (not just security) all to further my progress towards becoming a penetration tester.

I also have an article about this (bit more in-depth) on my newly started blog, acenyethehackerguy.com

What advice would you give to someone interested in becoming a Penetration Tester?
Self learning. Understand how tools do what they do, not just how they function. Dig into Metasploit modules and see what is going on behind the scene. Spend time on exploit-db.com looking at new exploits, testing them, and understanding how they function. Also, obtain a wide variety of sysadmin, programming, and corporate process knowledge to understand at least at a basic level how everything functions in a corporate environment.

Highly recommended certifications and courses:

  • Offensive Security Certified Professional (OSCP)
  • Network Assault (NWA, by Rapid7, shameless plug)
  • Web App Assault (By Rapid7, shameless plug)

Derick Ansignia

Derick is a Penetration Tester at TCISS.

How did you become a Penetration Tester?
It was actually a career plan since am studying information systems in a bachelors degree, I had passion to learn how systems work and to break codes running behind the scene. I attended a hacking class, learned a couple of things on my own since then and the passion to penetrate into systems has ‘been a thing’ for me, I love the art; sometimes [this makes] you feel you so smart!

What advice would you give to someone interested in becoming a Penetration Tester?
Anyone who want to be a pentester now should approach this career path with high level of interest sometimes it does not turn out to be too exciting you have to work smart, learn more and more. I recommend eLearnSecurity, they have a great start for a beginner. Nmap, sqlmap, metasploit, responder are some of the tools of the trade.


Lorenzo Vogelsang

Lorenzo is a Penetration Tester with experience in Web Application & Network Penetration Testing. He is also a CyberArk Certified Engineer and he implemented the software solution across multiple financial institutes in Italy. Involved in security challenges by joining online CTFs and Bug Bounties.

How did you become a Penetration Tester?
I’ve always liked the underground ecosystem and I started learning about computer and network security since I was a kid. Even though I took a degree in Philosophy one day I have decided to turn my hobby into a job starting a Master in ICT Security. This was for me the turning point as it allowed me to gather the necessary connections for finding a job in the penetration testing industry.

What advice would you give to someone interested in becoming a Penetration Tester?
My main advice is to try to enter the hacker’s mindset and to always be in the lookout for new opportunities and challenges in the field. Follow your passion and try to learn from the defeats you will encounter during your path and do not surrender but always “try harder”.


Phillip Wylie

I am an Information Security Consultant/ Penetration Tester with over 19 years of information technology and information security experience. Specialities include application security, penetration testing, ethical hacking, security vulnerability assessments, threat and vulnerability management.

How did you become a Penetration Tester?
I spent my first seven years as a system admin and moved into the InfoSec department of my employer. My first year and a half I worked doing network security supporting firewalls and IDS’. After that first year and a half my employer hired a CISO and he created different functions in our infosec department. I was assigned an application security role. I performed web application vulnerability assessments, coordinated third party penetration tests and managed vulnerability remediation. After seven years I was laid off and I got a consultant position working as a Penetration Tester.

What advice would you give to someone interested in becoming a Penetration Tester?
For people that don’t already work in IT, information security or have a related degree, then I would recommend learning operating systems, networking and scripting and, or programming. You need a foundation in technology because it is easier to hack something that you understand technically. If you have the technology background or after you gain this background, then you are ready to learn how to hack. To become a successful Penetration Tester, you need to develop a hacker mindset.

There are a lot of great resources available through books and online training. Websites like cybrary.it and securitytube.net offer free training and videos. Two books I would start with, are Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman and The Hacker Playbook 2: Practical Guide to Penetration Testing by Peter Kim. A great book to learn web application penetration testing is Web Application Hacker’s Handbook 2nd Edition by Dafydd Stuttard and Marcus Pinto. The Open Web Application Security Project (OWASP) website found is another great resource for application security and web application penetration testing.

Certifications are helpful when trying to break into the penetration testing field. Some certifications employers look for are the OSCP (Offensive Security Certified Professional) and SANS GIAC certifications such as the GPEN (GIAC Penetration Tester) and GWAPT (GIAC Web Application Penetration Tester). The SANS courses run around $5900 and the Penetration Testing with Kali course required for the OSCP certification starts at $800 for 30 days of lab access, $1000 for 60 days lab access, and $1150 for 90 days lab access. What I liked about the OSCP is that it helps you develop the hacker mindset as well as learning to manually pen test and not be reliant on vulnerability scanners. Capture The Flags aka CTFs and bug bounties are good places to legally practice and hone your hacking skills. CTFs are environments setup for people to hack. They are available online as well as at some InfoSec conferences. Bug bounties are setup for hackers to find security vulnerabilities for organizations. Some of them offer cash for discovered vulnerabilities, while some offer swag or honorable mention. Bug Crowd is a good place to find bug bounties and can be found at http://bugcrowd.com.

It is also important to network and get involved in the hacker/ InfoSec community. It’s typically easier to get a job if you can get referred by an employee of the company. Meetup.com is a great place to find InfoSec meetings in your area. If you are in the Dallas, TX area checkout Dallas Hackers Association (DHA), DC214 and North Texas Cyber Security Group (NTXCSG). For application security meets, checkout your local OWASP chapter meeting. InfoSec conferences are a great place to learn and network. A very popular conference, which is typically free, is Security B-Sides.


Junior Carreiro

Junior is a Member of DC-Labs Security Team, staff on BlackHat conference, Area31 Hackerspace founder and contributor for the Pentest Magazine.

How did you become a Penetration Tester?
I was always focused on the area of information security, when I was still an infrastructure analyst, I was always involved in defense, such as hardening, Firewalls, IDS/ IPS and WAF. When I was working in the defense area, I followed closely how the complexity of the attacks increased and this increased my curiosity and I ended up changing my area of interest and became security offensive, especially in web applications, which became my focus. Today, my studies and research are all focused on flaws and web application pentests.

What advice would you give to someone interested in becoming a Penetration Tester?
My advice for those who want to start acting in the area is to study, study and keep studying! The Internet helps us a lot these days and we have a lot of stuff, my suggestion is to learn how things work, TCP/ IP, OS, any programming language. It is necessary to form a solid base of knowledge, because it is important to know what you’re doing. The profession pentester is much more than simply running automated penetration testing tools.

Some books that have helped me and help until today:

Sites that recommend for studies:


Yehia Mamdouh

Yehia Mamdouh has 8+ experience in penetration testing and information security, and now he is a holding position as Penetration Testing Specialist and security researcher @ DTS-Solution (Dubai), He is the Author of many tools like XSSYA & BetWorm. Yehia has also been a keynote speaker for many conferences like QuBit – DefCamp – Middle East Info Security Summit and he has has been acknowledged on many websites as part of their Bug Bounty programs.

How did you become a Penetration Tester?
I got my first computer on end of 90’s at that time I start learn programming with visual basic, I start creating some basic programs, then I was hit by the Melissa Virus at that time and cause a lot of damage but I was amazed how a few KB can cause that damage after that I start make a lot of researchers on Worms, backdoor’s etc. I learned how to write them, and i create a sample virus with Visual Basic and then I continued learning about hacking and security, so yes I can say by accident!

What advice would you give to someone interested in becoming a Penetration Tester?
Actually, many advices, first advice if you want to become penetration tester, you should focus on Programming Languages at least one low level programming languages and one scripting language like Perl, Python, Ruby which allow any pentester not depend only on existing tools because every pentester deal with dynamic and different environments which sometimes require to write special script for special environments. My second bit of advice is to be persistent to finish of what you are learning till the end, and get yourself involved in security community and learn from them, keep yourself updated with last vulnerabilities and exploit being discovered, read a lot books, participate in CTF’s, and in the end share your knowledge with others because we learn from sharing knowledge.


John Clarke

Hard working self-motivated, organised and capable of working under pressure. I enjoy working alone or as part of a team. I have a logical mind with a practical approach to problem solving and not shy to request help if needed. In short, I am reliable, hardworking and eager to learn and I have a genuine interest in IT Security.

How did you become a Penetration Tester?
It was actually something I fell into and now it has become my career. I was given a break by a great man: I was a 34 year old intern who had returned back to education after the recession hit and luckily someone saw something in me and hired me into their security team.

What advice would you give to someone interested in becoming a Penetration Tester?
Play safe and within the confines of what is ‘ethical’. There are plenty of CTFs and security meet ups for you to learn and practice your skills. Believe in yourself and keep on educating yourself!


Daniel Saibt

I have experience in the areas of Security Offensive, Cloud Computing, Linux / Unix environments, monitoring and backup.

I execute projects related to the area of ​​offensive security. The main objective is to identify and exploit vulnerabilities, whether in Web Applications, Mobile or Infrastructure. I work in projects of this nature in the most varied types of companies / segments such as banks, hospitals, hotels, retail, government agencies, software development agencies, etc.

My areas of study are intrusion testing, vulnerability analysis and research, exploit development, hardening, and perimeter defense strategies.

How did you become a Penetration Tester?
Since entering the area of ​​technology I have always been curious about the intrusion test. He liked to read about how the intrusions were made, methods used, motivations, etc.

What advice would you give to someone interested in becoming a Penetration Tester?

  1. Be thirsty for knowledge. Study for pleasure and never out of obligation.
  2. Lab, lab, lab, and more labs. It sounds obvious, but this is what will make you learn for real. There are many options on the internet like pentesterlab, vulnhub, pentestit, hacking-lab, etc.
  3. Master at least one programming language. Any one you like. This will give you a very interesting technical advantage.
  4. Knowledge of infrastructure is essential. Learn networks, operating systems, protocols of all types, etc. You will deal with different types of environments and will have to adapt to each of them during an invasion.
  5. When exploiting a vulnerability do not just do it with tools. Really learn how the exploration was accomplished.
  6. Know your limitations. If you do not know how to program, study. If you do not master a given protocol, study. Believe. With the right motivation we are capable of doing anything. I speak from my own experience.

Nikit Jain

Searching for a challenging career as an Information Security Engineer with your Company that rewards hard work, organizational abilities and superior honesty and integrity.

Having knowledge about vulnerability Assessment and Penetration testing, web application security and python. I am also familiar with major penetration tools such as Burp suit, Nmap, Netsparker and Metasploit.

How did you become a Penetration Tester?

From script kiddies to penetration tester.

What advice would you give to someone interested in becoming a Penetration Tester?
Just do and get the depth knowledge about digital world.


Adam Ziaja

Adam has been in the IT security field for over a dozen years, both working in IT related positions and extending his knowledge and experience as part of his after-work activities. Currently working as an IT security freelancer with services such as penetration testing, red teaming, computer forensics and incident response (aka DFIR).

How did you become a Penetration Tester?
From Linux sysadmin to pentester.

What advice would you give to someone interested in becoming a Penetration Tester?
Do techblog under your real name. You will check all before post because everyone else will call you lame.


Harshit Sharma

Harshit is a Cyber Security Researcher, Ethical hacker and CEO at Techinvo.

How did you become a Penetration Tester?
I used to get bullied alot so in that way i got ento hacking and ethical hacking.

What advice would you give to someone interested in becoming a Penetration Tester?
Pursue it with full passion.


Leave a comment or reply below...thanks!