What does a penetration tester do?

What pen testing actually is

Penetration testing is a structured simulation of a real-world cyberattack. Unlike automated vulnerability scanning, pen testing involves human creativity, persistence, and lateral thinking — combining discovered vulnerabilities into chains that demonstrate real-world risk. An automated scanner might find that a server has an unpatched CVE; a skilled pen tester will use that CVE to gain a foothold, escalate privileges, pivot to adjacent systems, and demonstrate how far a real attacker could go.

Critically, all actions are authorised in advance through a Rules of Engagement document and a Scope of Work agreement. This legal authorisation is what separates penetration testing from criminal hacking. Without it, the same actions would be illegal.

The penetration testing methodology

Most pen testers follow a standardised methodology, often based on PTES (Penetration Testing Execution Standard) or OWASP Testing Guide:

1. 1
   Pre-engagement — Scope definition, rules of engagement, legal authorisation, timeline, and emergency contacts. No technical work until paperwork is signed. This phase protects both the tester and the client.
2. 2
   Reconnaissance — Passive and active information gathering. OSINT (public data: LinkedIn, job posts, GitHub), DNS enumeration, WHOIS lookups, and subdomain discovery. Building a map of the target before touching it.
3. 3
   Scanning and enumeration — Active probing of in-scope targets: port scanning (Nmap), service version detection, web application crawling, authentication probing. Building an inventory of attack surfaces.
4. 4
   Exploitation — Attempting to exploit identified vulnerabilities. This may involve using Metasploit for known CVEs, writing custom exploits, manually testing web application flaws, or social engineering (if in scope). The goal is to prove a vulnerability is exploitable, not just theoretical.
5. 5
   Post-exploitation — Once access is gained, the tester demonstrates impact: privilege escalation, lateral movement, data access, persistence. The question being answered: "If an attacker had this access, how bad could it get?"
6. 6
   Reporting — The most important deliverable. A professional pen test report includes: executive summary for non-technical stakeholders, technical findings with evidence, CVSS severity ratings, remediation recommendations, and retest notes. Writing clearly is as important as hacking skillfully.

Types of penetration testing

Core penetration testing tools

Pen testers work almost exclusively in Kali Linux, the industry-standard offensive security distribution. Key tools every pen tester must know:

• Nmap: Network mapping and port scanning — the first tool used in almost every engagement.
• Metasploit Framework: Exploit development, delivery, and post-exploitation. The most widely used penetration testing framework.
• Burp Suite: Web application testing proxy — intercepting, modifying, and replaying HTTP requests. Essential for web app assessments.
• Wireshark: Network protocol analyser for traffic capture and analysis.
• Hashcat / John the Ripper: Password cracking tools for offline hash analysis.
• BloodHound: Active Directory attack path visualisation — identifies privilege escalation routes in Windows environments.

Salary and career progression

Penetration testing is one of the best-compensated specialties in cybersecurity:

• Junior Pen Tester: $60,000–85,000 USD
• Mid-level Pen Tester (3–5 years): $90,000–130,000 USD
• Senior / Lead Pen Tester: $130,000–180,000+ USD
• Bug bounty (freelance): Top researchers earn $200,000–500,000+ USD annually through programmes at Google, Apple, Microsoft, and Meta.