Penetration testers discover and report on information technology (IT) security weaknesses such as those in computer systems and databases.
Penetration testers usually earn
$92K-$137K per year
Source: AbsoluteIT, Tech Remuneration Report', 2018.
Pay for penetration testers varies depending on their skills and experience. According to AbsoluteIT, IT security workers (which include penetration testers) in the:
- lowest-paid group earn an average of $92,000 a year
- middle pay range earn an average of $117,000
- highest-paid group earn an average of $137,000.
IT security workers working as contractors earn an average of $85 to $140 an hour.
Source: AbsoluteIT, 'Tech Remuneration Report', January 2018.
- AbsoluteIT website - January 2018 Tech Remuneration Report (PDF - 3.17MB)
- PAYE.net.nz website - use this calculator to convert pay and salary information
(This information is a guide only. Find out more about the sources of our pay information)
What you will do
Penetration testers may do some or all of the following:
- keep up to date with cyber security threats and software used by hackers
- analyse how organisations use their IT systems and where security weaknesses may occur
- attempt to break into IT systems to discover their security weaknesses
- create tests to identify and exploit weaknesses and security issues in IT systems
- monitor IT systems to discover new vulnerabilities
- produce reports to help organisations correct their IT security weaknesses.
Skills and knowledge
Penetration testers need to have:
- strong analytical and diagnostic skills
- knowledge of computer systems, software and technology
- knowledge of operating and networking systems, methods and devices
- the ability to do manual and automated security tests
- knowledge of coding languages such as Java or C++
- understanding of security software and penetration tools such as Metasploit, Fortify and AppScan
- up to date understanding of internet threats, hacking tools and current IT security practices
- in-depth knowledge of security monitoring.
- usually work full time and may also work evenings and weekends, and be on call
- work in their own or clients' offices
- work in conditions that may be stressful, because they work to strict deadlines while responding to security threats
- may travel locally or overseas to meet clients.
There are no specific requirements to become a penetration tester. However, you usually need one or more of:
- a certificate, diploma or degree, preferably in an IT-related subject such as network engineering, computer science or cyber security
- a relevant industry-based certification, such as Offensive Security Certified Professional (OSCP) or CREST Ethical Security Tester, which people usually study for after they have IT experience
- three to seven years’ experience in intermediate-level security roles such as security analyst or related roles such as network or systems administrator, or helpdesk administrator.
Common ways of gaining IT-related knowledge include learning through online courses and tutorials, and working on your own projects.
If you are a graduate from a field other than IT, you can gain a fast-tracked IT-related qualification through ICT Graduate Schools.
- Tertiary Education Commission website - information on ICT graduate schools
- Cyber Degrees website - find out about certifications for cyber security
- International Info System Security Certification Consortium website - find out about CISSP certification
A tertiary entrance qualification is needed to enter tertiary training. Useful school subjects include digital technologies, maths, physics and English.
For Year 11 to 13 students, the Gateway programme is a good way to gain industry experience.
Penetration testers need to be:
- creative and imaginative as they need to design and create tests
- good at analytical thinking
- good at problem solving
- skilled at verbal and written communication as they have to create reports and communicate with technical and non-technical staff
- detail-oriented and curious as they have to work on complex technical questions.
Useful experience for penetration testers includes:
- working in IT-related jobs such as IT support technician
- on-the-job training through IT internships
- hacking experience gained through study or hacking conferences
- working on individual IT projects such as setting up your own penetration testing lab or assembling computers.
- NxtSteps website - find IT internships and graduate programmes
- Summer of Tech website - information on the IT internship programme
Penetration testers spend a lot of time using computers, so they need to know how to use computer equipment properly to avoid occupational overuse syndrome (OOS).
Penetration testers may choose to become certified or chartered through associations such as the Institute of IT Professionals.
Find out more about training
- Engineering New Zealand
- (04) 473 9444 - email@example.com - www.engineeringnz.org
- IT Professionals
- 0800 252 255 - firstname.lastname@example.org - www.itp.nz
- (09) 475 0204 - email@example.com - www.nztech.org.nz
What are the chances of getting a job?
Penetration testers are in high demand due to:
- increasing numbers of organisations shifting services and systems online
- the ease with which hackers can access and damage online information or networks, because information is increasingly available through multiple devices and the "Internet of Things" – anything connected to the internet, including vehicles and home appliances.
Shortage of penetration testers
The need for penetration testers is increasing but there are not enough to meet demand, and not enough information technology (IT) trainees or juniors who can progress into the role.
As a result, ICT security specialist (which includes penetration tester) appears on Immigration New Zealand's long-term skill shortage list. This means the Government is actively encouraging skilled penetration testers from overseas to work in New Zealand.
How to get your first IT job
You can improve your chances of getting an IT job by gaining experience through government and IT industry initiatives, which include:
- internships such as Summer of Tech
- graduate programmes offered by IT companies
- events such as hackathons
- mentoring programmes
- programmes to encourage more women into IT, such as Shadow Tech.
- Summer of Tech website - find out about their IT internship programme
- ShadowTech website - find out about ShadowTech
- Cyber Security Challenge website - find out about their next event
Types of employers varied
Penetration testers may work for a wide range of organisations, including:
- private companies that provide computer, database and network security services to other organisations
- government departments and other large organisations
- telecommunications and energy companies.
Penetration testers may also be self-employed.
- AbsoluteIT, 'Employer Report', March 2017, (www.absoluteit.co.nz).
- Hays, 'Hotspots of Skills in Demand, January – June 2018', (www.hays.net.nz).
- Immigration New Zealand, 'Long Term Skill Shortage List', 19 February 2018, (www.immigration.govt.nz).
- Paredes, D, 'The Untrammelled Rise of the Cyber Security Professional', CIO, accessed 24 March 2017.
- Seath, S, and Drew, C, 'Cyber Security Skills Report', Greater Wellington Regional Council, September 2016.
- The Domain Name Commission, '.nz Statistics by Financial Year', accessed February 2018, (www.dnc.org.nz).
- University of Waikato website, 'Students Urged to Combat Cybercrime', 30 March 2017, (www.waikato.ac.nz).
- Vaughan, J, 'Job Openings in Cybersecurity Expected to Skyrocket in 2017', accessed 23 March 2017.
(This information is a guide only. Find out more about the sources of our job opportunities information)
Progression and specialisations
Penetration testers may progress to set up their own business, or move into roles such as:
- principal security tester
- security incident response specialist
- public speaker and security researcher
- security software developer
- security manager
- chief technology officer (CTO)
- chief information security officer (CISO).
Penetration testers may specialise in:
- cloud security – testing the security of data stored on servers hosted on the internet
- internet security – testing the security of access to computer systems and databases via the internet
- mobile security – testing the security of smartphones and other portable devices, and the networks they connect to
- network security – testing the security of the internal computer network of an organisation.
Last updated 12 November 2019