Can somebody tell me as to what pen testers typically earns?
I once talked to a firm doing pen testing and the figures they paid were the same as any other firm would pay a midlevel developer working in a regular software dept in a corporation in that city.
Assuming pen testing requires a skill level a notch or two above the 'average' developer, I would have normally assumed that ideally they would be paid significantly better.
I get the idea that most pen testers are entry-level and spend their time doing standard scanning and looking for standardized types of vulnerabilities using pre-built tools and techniques. The ones who can build those tools and come up with novel attacks against well-protected targets are the top of the heap.
What is probably scary is just how many commercial sites can be compromised by those standard well-known techniques.
> most pen testers are entry-level ... What is probably scary is just how many commercial sites can be compromised by those standard well-known techniques.
... and the thought that there's an army of underpaid, underappreciated folks who spend all day every day honing the craft to perfection.
'We used to quip that “password” is the most common password. Now it’s “password1.” Who said users haven’t learned anything about security?' -- Bruce Schneier
I think it's about on par with what developers earn for the same skill bracket and location. As a pentester, I don't think it's necessarily about having _more_ skill than developers, it's just a different set of skills.
It widely varies depending on skill level, and unfortunately I can’t compare easily as I don’t know developer salaries.
If you’re in a major tech hub in the US, 75k for a junior, 150 for a senior, and upwards from there for someone with decent experience. $300k isn’t crazy for someone really good. Those are technical roles outside of management.
But those figures are skewed toward better orgs; some companies will take a fresh grad, throw them at some junk automated tools, and call them a pentester. This area of the industry is booming with the increase of compliance mandated testing.
I once talked to a firm doing pen testing and the figures they paid were the same as any other firm would pay a midlevel developer working in a regular software dept in a corporation in that city.
Assuming pen testing requires a skill level a notch or two above the 'average' developer, I would have normally assumed that ideally they would be paid significantly better.