How to Become a Penetration Tester

After our recent hiring drive, we got a lot of questions from people wanting to know how they can improve their chances of breaking into cyber as a penetration tester. To help out, we've put together this blog post to explain what we're looking for in our candidates.

How to Become a Penetration Tester

When it comes to applicants for entry-level penetration testers, we’re concentrating on two key aspects.

#1 - Demonstratable Eagerness to Learn

Why do we value eagerness to learn? Because working in tech, especially in cybersecurity, is like walking the wrong direction on a moving sidewalk. You need to keep moving forward to stay in place. If you stop learning, you'll quickly fall behind with the constant updates and new developments.

But simply claiming you're eager to learn isn't enough; you need to show it!

Talk is cheap, but actions are priceless.

Now more than ever, there's an abundance of both free and paid cybersecurity learning resources available — the options are endless. You don't have to wait until you've secured the job to start learning.

Given the vast amount of training material available, we particularly value practical learning experiences. A substantial Hack The Box (HTB) portfolio, hands-on certifications like the BSCP, engagement in CTF competitions, or even an attempt at the OSCP (acknowledging that the OSCP is expensive) stand out to us significantly.

#2 - Strong IT Fundamentals

This leads us to the second crucial quality we seek in candidates: strong IT fundamentals.

We firmly believe that to effectively break something, one must, at least to some extent, understand how it works.

Yup, that’s about right…
by u/Missing_Space_Cadet in Kalilinux

This still cracks me up!

An IT or computer science bachelors degree is one way to brush up on these fundamentals.

While the cybersecurity industry has often been criticised for gatekeeping, particularly toward those without relevant degrees, if the goal is to select for candidates with strong fundamentals, it can be understandable that some hiring managers will use a degree as a filter.

At a minimum, a bachelors university graduate has likely spent 1-2 years focusing solely on building these fundamental skills, which is not something to overlook. In contrast, many candidates from other backgrounds might not have the experience of writing a SQL query before attempting to exploit SQL injection vulnerabilities.

There are, however, alternative routes to acquiring these fundamental skills. For instance, developing a small web application can offer insights into data structures and Model-View-Controller (MVC) architectures. Setting up a homelab to experiment with complex networking and Type 0 Hypervisors can help you understand enterprise IT environments. Contributing to an open-source project can be a great way to learn about software development practices. Most importantly with these activities, whenever you encounter something unexpected or something you don't fully understand, take the time to research and grasp the underlying reasons/concepts and over time these activities can help you bridge those gaps in knowledge.


The effort you invest in building your knowledge base and practical skills will ultimately be what sets you apart.

We hope this article has helped illustrate what we're seeking in candidates and inspires you to embark on your journey with more confidence.