As it stands, companies across the UK are improving their defensive security posture and bringing these functionalities in-house to give themselves greater control of their cyber security process, protocols and technologies.
However, there is also the offensive side of security, the penetration testers and the ethical hackers of the world. With this remit there is an even split between bringing in external consultancies to complete penetration tests on the company infrastructure and hiring your own offensive security staff. Typically, working with a consultancy is going to cost you much more so, when you are trying to hire penetration testers to work for your organisation what should you be paying them?
In the UK, there are about 600 adverts for penetration testers on LinkedIn not including ethical hackers, security consultants, red team etc. - there are too many different job titles to measure them all (don’t get us started on hacking ninjas!). With so much competition you’ve got to make sure, if you’re looking for a penetration tester to work internally for your organisation, that your advert/job description is attractive as possible. With that in mind, you also need to make sure the salary is going to be enticing enough for candidates to take interest. You want to attract the right sort of talent, at the right level of experience and ultimately not pay over the odds (or under market value!) for the skill set you need.
Unlike working in a SOC, penetration testers, the salary required and the value behind their work is typically going to be based on the number of years’ experience. We have split penetration testers into junior, mid and senior levels added in some valuable information for what to look for in terms of certificates that candidates at this range might have.
Junior - £25,000 - £40,000
Certificates: CEH (Certified Ethical Hacker) CompTIA PenTest+
Typically a junior penetration tester role will be filled with candidates who won’t have commercial experience but will have a good background in personal projects, individuals who spend their spare time on Hack The Box or Immersive Labs and just need a chance to develop themselves within a company. (NB some of the larger organisations have been known to pay £55,000 for entry level red teamers… we’re not kidding!)
Mid - £40,000 - £65,000
Certificates: OSCE, GIAC GPEN, CHECK Team Member
Within this range you’ll find candidates that have a good amount of commercial experience (could be anything up to 5 years for example) who have been involved in penetration tests both virtually and on-site with clients. Typically, they’ll have some exposure to autonomously work on projects as well as helping with group work.
Senior - £65,000+
Certificates: OSCP, CHECK Team Leader
As the salary and level suggests, these candidates have got years of commercial experience and really know their stuff. They’re skilled across infrastructure and application testing and have led multiple client facing engagements. Typically, what we find at this level is that these candidates also get heavily involved in the security community, helping with research, conducting talks at multiple events and completing their own whitepapers.
When you hire a penetration tester what’s really important is establishing your business need first. If you are going to be using them sporadically, is it cost-effective to hire someone internally or would you be better placed using an external consultancy or software solution? (Again, watch out for some consultancies and check out their reviews, we’ve heard some horror stories about how much people have been charged!)
If you have a need and can keep penetration testers occupied within your organisation, we always recommend hiring your own. They complement the defensive/blue team really well and, when these teams work well in tandem you can create a really robust security solution that can evolve daily to make sure your organisation is as secure as possible.
Staying in touch with the latest salary information is essential for employers, whether you’re looking to bring in new hires or just check what the competition are paying their staff in equivalent roles to retain your current team.
There are lots of things to consider with penetration tester salaries so hopefully these points give you something to think about when looking to grow your team.
If you have any questions about what to pay your penetration testers or need some informal advice, then please feel free to get in touch.