Penetration testers investigate security weaknesses in online systems and databases.
Penetration testers usually earn
$100K-$200K per year
Source: Recruit I.T., 2023.
Pay for penetration testers depends on skills, experience and where you work, with pay in Auckland being higher.
Penetration testers can earn $100,000 to $200,000 a year.
Sources: Recruit I.T., 'Auckland Technology & Digital Salary Update, June 2023’; and Recruit I.T., ‘Wellington Technology & Digital Salary Update, June 2023’.
- Recruit I.T. website - Auckland Technology & Digital Salary Update, June 2023 - (PDF - 924KB)
- Recruit I.T. website - Welllington Technology & Digital Salary Update, June 2023 - (PDF - 924KB)
(This information is a guide only. Find out more about the sources of our pay information)
What you will do
Penetration testers may do some or all of the following:
- keep up to date with cyber security threats and software used by hackers
- analyse how organisations use their IT systems and where security weaknesses may occur
- attempt to break into IT systems to discover their security weaknesses
- create tests to identify and exploit weaknesses and security issues in IT systems
- monitor IT systems to discover new vulnerabilities
- produce reports to help organisations correct their IT security weaknesses.
Skills and knowledge
Penetration testers need to have:
- strong analytical and diagnostic skills
- knowledge of computer systems, software and technology
- knowledge of operating and networking systems, methods and devices
- the ability to do manual and automated security tests
- knowledge of coding languages such as Java or C++
- understanding of security software and penetration tools such as Metasploit, Fortify and AppScan
- up to date understanding of internet threats, hacking tools and current IT security practices
- in-depth knowledge of security monitoring.
- usually work full time and may also work evenings and weekends, and be on call
- work in their own or clients' offices
- work in conditions that may be stressful, because they work to strict deadlines while responding to security threats
- may travel locally or overseas to meet clients.
What's the job really like?
Penetration tester video
Gandhar talks about life as a penetration tester – 3.42 mins.
So the official job title is penetration tester, also known as ethical hacker. Sort of the good guys. A penetration tester finds issues and vulnerabilities in client infrastructure. That could be in the form of a web app, mobile app and cloud infrastructure. Finds those vulnerabilities, creates a report and sends that off to our client.
Essentially I look to break stuff. I’m trying to break a web application or mobile app down to its bare bones and see if it still can run properly. I try to get the application to do unexpected things and take advantage of the unexpected response. If the application exposes itself I can pick up on there and cascade down into bigger attacks.
So the end goal is basically just to secure our clients' systems. So me working as a good hacker can try to hack these applications legally and find the vulnerabilities that the bad guys would find, and if I can find it and notify those to our client, they can mitigate those risks of a bad guy doing the exact same thing, stealing their data, crashing down servers and breaking down web applications.
The thing I like the most about this job is the learning aspect, so you’re always learning something new. We have projects that run for three to five days, and each project would be different. My project manager manages all my projects and makes sure that I have enough time for the project. I would have client meetings as well. Making sure everyone’s on the same page and that we have all the requirements that we need to start testing.
Week one I might be doing a mobile app. Week two I’ll probably do a cloud app or a web app, and each project introduces a different system, different software, different tools, and you’re basically just learning on the go. It’s a huge learning curve. That’s how it varies. You’re always doing something different per project.
I would definitely say a qualification would help your application, because you’ve got that basic understanding of tech itself. But if you can program a small application, if you can read code and you would definitely need to have a basic understanding of the networking protocols, so TCP/IP, ARP, and have a basic understanding of the vulnerabilities. Simple vulnerabilities like XSS, SQLI, REC, LFI, RIF. You would definitely need to have a bit of knowledge about that.
This job can get quite fatiguing and quite exhaustive. It’s a lot of grunt work. It’s a lot of long hours behind the computer, so it’s very important to look after your body and your mind.
I would say the most important attribute in this job would be curiosity. You have to have the inclination to be curious about stuff. Curious about how things work, curious about how to turn things and how to break things. That will really go a long way into the career.
The biggest challenge I face is the technical challenges itself. When you’re trying to break something there’s always going to be defences, there’s always going to be things that stop you, so you sort of need to have the grit to just keep going.
As a hacker when you penetrate a web application or when you get through the firewalls it sort of gives you a hit of dopamine. It gives you a surge of excitement or satisfaction. That’s sort of where my passion comes from. It’s quite rewarding as well at the same time.
I would recommend a role in cybersecurity because you’re always on your toes. You’re always learning something new. Like any tech job, you can jump between different disciplines. There’s a lot of opportunity, there’s a lot of growth. That and the fact that they do come with perks. Competitive pay salary and just a chill work environment as well.
Honestly it just never gets boring.
There are no specific requirements to become a penetration tester. However, you usually need one or more of:
- a certificate, diploma or degree, preferably in an IT-related subject such as network engineering, computer science or cyber security
- a relevant industry-based certification, such as Offensive Security Certified Professional (OSCP) or CREST Ethical Security Tester, which people usually study for after they have IT experience
- three to seven years’ experience in intermediate-level security roles such as security analyst or related roles such as network or systems administrator, or helpdesk/support technician.
Common ways of gaining IT-related knowledge include learning through online courses and tutorials, and working on your own projects.
- Cyber Degrees website - certifications for cyber security
- International Info System Security Certification Consortium website - CISSP certification
A tertiary entrance qualification is needed to enter tertiary training. Useful school subjects include digital technologies, maths, physics and English.
For Year 11 to 13 students, the Gateway programme is a good way to gain industry experience.
Penetration testers need to be:
- creative and imaginative as they need to design and create tests
- good at analytical thinking
- good at problem solving
- skilled at verbal and written communication as they have to create reports and communicate with technical and non-technical staff
- detail-oriented and curious as they have to work on complex technical questions.
Useful experience for penetration testers includes:
- working in IT-related jobs such as IT support technician
- on-the-job training through IT internships
- hacking experience gained through study or hacking conferences
- working on individual IT projects such as setting up your own penetration testing lab or assembling computers.
- NxtSteps website - IT internships and graduate programmes
- Summer of Tech website - IT internship programme
Penetration testers spend a lot of time using computers, so they need to know how to use computer equipment properly to avoid occupational overuse syndrome (OOS).
Penetration testers may choose to become certified or chartered through associations such as the Institute of IT Professionals.
Find out more about training
- IT Professionals
- 0800 252 255 - email@example.com - www.itp.nz
- (09) 475 0204 - firstname.lastname@example.org - www.nztech.org.nz
What are the chances of getting a job?
Penetration testers in demand
Penetration testers are in high demand due to:
- organisations shifting services and systems online
- increasing numbers of devices that are connected to the internet, including vehicles, which hackers can access and damage online.
Shortage of experienced penetration testers
There are not enough experienced penetration testers to meet demand. Nearly two thirds of IT employers report skills shortages, and there aren't enough information technology (IT) trainees.
As a result, ICT security specialist (which includes penetration tester) appears on Immigration New Zealand's long-term skill shortage list. This means the Government is actively encouraging skilled penetration testers from overseas to work in New Zealand.
According to the Census, 468 penetration testers worked in New Zealand in 2018.
How to get your first IT job
You can improve your chances of getting an IT job by gaining experience through government and IT industry initiatives, which include:
- internships such as Summer of Tech
- graduate programmes offered by IT companies
- events such as hackathons
- mentoring programmes.
Types of employers varied
Penetration testers may work for a wide range of organisations, including:
- private companies
- government departments and other large organisations
- telecommunications and energy companies.
Penetration testers may also be self-employed.
- Hays, 'IT Salary Guide and Recruiting Trends', accessed November 2021, (www.hays.net.nz).
- Recruit I.T., 'Technology and Digital Salary Update Auckland', Recruit I.T., 'Technology and Digital Salary Update Wellington', July 2021, (www.recruitit.co.nz).
- Stats NZ, '2018 Census Data', 2019.
(This information is a guide only. Find out more about the sources of our job opportunities information)
Progression and specialisations
Penetration testers may progress to set up their own business, or move into roles such as:
- principal security tester
- security incident response specialist
- public speaker and security researcher
- security software developer
- security manager
- chief technology officer (CTO)
- chief information security officer (CISO).
Penetration testers may specialise in:
- cloud security – testing the security of data stored on servers hosted on the internet
- internet security – testing the security of access to computer systems and databases via the internet
- mobile security – testing the security of smartphones and other portable devices, and the networks they connect to
- network security – testing the security of the internal computer network of an organisation.
Last updated 8 February 2024