Career roadmap

Penetration Tester

How to become a Penetration Tester in the UK — from £35k junior at NCC/PwC to £100k senior at a boutique. CREST CRT/CCT and OSCP are the credentials that gate the market.

Year-by-year milestones

  1. Year 0 (graduate)Junior Penetration Tester£32k–£42k

    Shadow seniors, run external infrastructure tests, basic web app tests, report writing.

  2. Year 1–2Penetration Tester (post-OSCP / CRT)£45k–£65k

    Own client engagements end-to-end, web/mobile/network test, scope client calls.

  3. Year 3–5Senior Penetration Tester / Red Teamer£65k–£95k

    Lead red team engagements, CBEST/TLPT-scope work, mentor juniors, contribute to OST.

  4. Year 5+Principal Tester / Team Lead£95k–£130k+

    Own a service line (cloud / red team / OT), client relationships, recruiting, research output.

Pen-testers simulate adversaries against client environments to find and report vulnerabilities. UK market is dominated by CHECK-scope work (government) and CBEST / TLPT (financial regulator) which require CREST certification. Commercial-scope work is OSCP-led. ## Career milestones ### Year 0 (graduate) — Junior Penetration Tester _Salary: £32k–£42k_ Shadow seniors, run external infrastructure tests, basic web app tests, report writing. ### Year 1–2 — Penetration Tester (post-OSCP / CRT) _Salary: £45k–£65k_ Own client engagements end-to-end, web/mobile/network test, scope client calls. ### Year 3–5 — Senior Penetration Tester / Red Teamer _Salary: £65k–£95k_ Lead red team engagements, CBEST/TLPT-scope work, mentor juniors, contribute to OST. ### Year 5+ — Principal Tester / Team Lead _Salary: £95k–£130k+_ Own a service line (cloud / red team / OT), client relationships, recruiting, research output. ## Core skills - External + internal infrastructure testing - Active Directory attack chains - Web application testing (OWASP Top 10 + business logic) - Mobile app testing (iOS/Android) - Cloud-native pen testing (AWS/Azure/GCP IAM abuse paths) - C2 frameworks (Cobalt Strike, Mythic, Sliver) - Custom tool dev in Python/C#/Go - Commercial report writing ## Recommended certifications - `oscp` - `security-plus` ## First 90 days in the role Shadow 4–6 different engagement types. Read every senior tester's last 10 reports. Build your own personal methodology playbook — refine it after every engagement. ## Common pitfalls Becoming a tool-runner. Senior testers are paid for the chain — 'I noticed X plus Y plus Z, so I pivoted to Q' — not for running Nessus. Document your thought process, not just your output.

Frequently asked questions

CREST CRT or OSCP first?

OSCP first — it teaches you to actually pen-test. Then CRT to unlock UK CHECK-scope work.

Can I freelance as a pen-tester?

Senior testers with CREST CCT + a track record yes — £600–£1200/day. Junior freelancing is rare.

Is the role being replaced by automated tools?

Automated tools (Pentera, Horizon3) replace baseline external testing but not red team, social engineering, or chained-exploit work — those are growing.

How do I move from pen tester to red teamer?

Build TTP-led muscle: rebuild the MITRE ATT&CK chain in your lab, contribute to open-source C2, run internal purple-team exercises. Then apply for red team specialist roles.

Map your own roadmap

Get a personal gap report, AI Career Twin and practice keyed to your target band.

Start free
// related