Create Announcement

This feature requires that you be logged in as a Google Classroom teacher and that you have an active class in Google Classroom.

If you are a Google Classroom teacher, please log in now.

For additional information about using Science Buddies with Google Classroom, see our FAQ.

Woman typing

A penetration tester could...

Practice "social engineering" by trying to convince a company's employees to reveal their passwords. Login information Help a bank find vulnerabilities in its website and help protect customer account information. Debit card
Try to break through a company's firewall to gain access to its private network. Typing on light up keyboard Test if a website will let a user upload files containing malicious code. Malware popup
Find out more...

Key Facts & Information

Overview In movies and in the media, computer hackers are often portrayed as the bad guys—criminals who steal money or important information. What if you could be a good hacker? Somebody whose job is to find security flaws in computer systems; but rather than exploiting them for personal gain, you help fix the problems before criminals can find them? That is what penetration testers—also called "white hat" or "ethical" hackers—do. Companies pay them to intentionally try to break into their systems to expose vulnerabilities. It is a bit like paying somebody to try and break into your house so you can fix a broken lock or loose window if they find their way inside. If you have always dreamed of being a hacker, but do not want to break the law, this could be the career for you!
Key Requirements Creativity, analytical skills, attention to detail, problem-solving skills
Minimum Degree Bachelor's degree
Subjects to Study in High School Computer science, algebra, algebra II, pre-calculus, calculus, statistics, English
Median Salary
Penetration Tester
U.S. Mean Annual Wage
Min Wage
Projected Job Growth (2014-2024) More Slowly than Average (3% to 6%) In Demand!
  • Watch this video to see multiple short interviews with security professionals at BlackHat and DEFCON, two major security conferences held in Las Vegas.
  • Check out this interview, which includes career advice from Ian Whiting, CEO of Titania.
  • Watch this interview with Tim Varkalis in which he describes his job as a penetration tester.
Related Occupations

Education and Training

Penetration testers typically have a bachelor's degree in information technology, computer science, or a related field. However, sufficient work experience will sometimes be accepted instead of a degree. As the demand for cybersecurity professionals continues to grow, some schools are starting to offer more specific cybersecurity-related degrees. Additional professional certifications, like Certified Ethical Hacker (CEH), may be preferred. Since the field of information security changes rapidly as computer technology advances, penetration testers must stay up-to-date on the latest advances in their industry, including the latest attacks by malicious or "black hat" hackers and the attempts by "white hat" hackers to prevent them. It is important to avoid any illegal black hat hacking activities of your own, as many penetration tester jobs require background checks or security clearances, or even a polygraph test. A history of criminal behavior or illegal hacking, even if it was "just for fun," could ruin your prospects of a white hat hacking career.

Other Qualifications

Penetration testers must have excellent creative, analytical, critical thinking, and problem-solving skills. However, it is important to have interpersonal skills in addition to the computer-related skills. Social engineering can be a big part of penetration testing, so interacting with other people, and even gaining their trust (like letting you log in to their account or sharing their password), can be an important part of the job. Penetration testers may also be responsible for preparing reports and explaining to executive staff or management what the damages of a cyberattack could be (for example, loss of customer trust if credit card data is stolen, and the resulting financial fallout) and why it is worth the investment to preemptively fix vulnerabilities.
Watch this video to see interviews with multiple experts in the field of information security.

Nature of the Work

Penetration testers are skilled workers who are hired as "ethical hackers." They are hired by companies and government agencies to expose vulnerabilities in their web and computer systems by intentionally trying to hack into those systems. However, rather than stealing information for personal gain (for example, customer credit card numbers or sensitive trade secrets), the penetration testers tell their clients about the vulnerabilities they have found so they can be fixed. Penetration testers could work for a large company who has internal employees to test its own systems, but many times they work for third-party consulting agencies that may be hired by many other organizations.

A penetration tester's job may take different forms. For example, first a penetration tester might be hired by an outside company to perform penetration testing. The company could hire the tester to do cooperative testing (where the company's employees are aware that the penetration test will take place), or they could do secretive or "blind" testing where the company's employees do not know the penetration tester has been hired. This means they cannot tell the difference between the penetration test and a "real" attack, so it tests how the company's employees will respond. Depending on the level of cooperation versus secrecy, the penetration testers may be given information about and access to the company's systems, or they might have to do their own research and reconnaissance (simulating the situation a real attacker would be in).

A penetration tester may run a variety of tests to test a company's systems. Some of them may be industry-standard tests and some may be unique and developed on a case-by-case basis. For example, one standard test involves testing websites that allow users to upload files to see if they will allow the user to upload a file containing malicious code or a virus (however, the "virus" will be designed not to do any real damage to the company's systems). However, not all tests are electronic in nature. Some tests may involve "social engineering," or exploiting people to gain access to a company's systems. This could range from simply checking to see if employees keep their passwords written on sticky notes near their desks to sneaky actions intended to gain unauthorized access—like convincing a security guard to let you into a building because you forgot your ID card, or leaving a USB drive with a virus on it in the company parking lot, and hoping somebody will connect it to their computer to find out what is on it.

After completing a test or series of tests, penetration testers will usually prepare a report on the results and any vulnerabilities that they found. They may present this report to a manager or company executives to detail the vulnerabilities they exposed, what could happen if a real criminal exploited them, and how they can be fixed to prevent future attacks.

Work Environment

Penetration testers typically spend the majority of their time working in an office environment, usually in front of a computer. They may have meetings with other people in the office during the day, and occasionally travel for conferences and professional meetings. Most analysts work full-time (40 hours per week). Since most of the penetration tests are performed online, they may work remotely. Sometimes they might be hired to do on-site penetration testing for a client, which could require travel.

Like other workers who spend long periods of time typing on a computer, penetration testers are susceptible to eyestrain, back discomfort, and hand and wrist problems, such as carpal tunnel syndrome or cumulative trauma disorder, but preventative measures can be taken.

On the Job

  • Do reconnaissance on a target company's potential vulnerabilities (in other words, get paid to spy!).
  • Run pre-determined, industry-standard or automated tests on a company's computer system.
  • Brainstorm, develop, and implement your own tests and attacks based on your reconnaissance.
  • Test physical security, like trying to sneak into a building by pretending to be an employee who forgot his or her ID card.
  • Practice social engineering attacks, like trying to get employees to reveal their passwords.
  • If an attack is successful, "steal" information to prove that criminals could also access the data.
  • Carefully document the results of any exploits or vulnerabilities you find.
  • Report your results to management or to a client (if you are hired as a consultant by an outside company) and explain what they need to to do to fix the problems.

Companies That Hire Penetration Testers

Explore what you might do on the job with one of these projects...

Log in to add favorite
Science Fair Project Idea
You might think that one sure-fire way to keep your computer safe from hackers is to disconnect it from the internet entirely. But did you know that even without internet, a computer can transmit data using light, sound, vibrations, or even heat? In this project, you will investigate how a spy or hacker can steal data from an "air-gapped" computer that has no internet connection. You can even use a smartphone equipped with a sensor app to demonstrate how the data can be picked up by a nearby… Read more
Log in to add favorite
Science Fair Project Idea
When you hear the word "encryption," you might think about modern computers and things like email and online bank accounts. But did you know that encryption has been around for thousands of years? In this project you will learn about the Caesar cipher, a simple type of encryption that replaces each letter of the alphabet with another letter, and demonstrate how a modern computer can crack this ancient code in just a few seconds. Read more
Log in to add favorite
Science Fair Project Idea
Many websites ask you to answer "security questions," like "What is your mother's maiden name?," to recover your account if you ever forget your password or login ID. However, sometimes the answers to those questions are easy to find online. Does this pose a risk to the security of important accounts like email and online banking? Are people even aware that this information about them is available online? In this project, you will investigate how secure people think security questions are, and… Read more
Log in to add favorite
Science Fair Project Idea
How many websites do you have accounts with that store personal information like your name, email, phone number, or mailing address? If the people running these websites are not careful, hackers could gain unauthorized access to, and even change or delete, your information. They can do this using something called SQL injection, which involves entering malicious code into text fields on a website. In this project you will learn how SQL injection works and figure out how to prevent it. Read more

Ask Questions

Do you have a specific question about a career as a Penetration Tester that isn't answered on this page? Post your question on the Science Buddies Ask an Expert Forum.

Additional Information


Free science fair projects.