How to become a Penetration Tester in the UK — from £35k junior at NCC/PwC to £100k senior at a boutique. CREST CRT/CCT and OSCP are the credentials that gate the market.
Shadow seniors, run external infrastructure tests, basic web app tests, report writing.
Own client engagements end-to-end, web/mobile/network test, scope client calls.
Lead red team engagements, CBEST/TLPT-scope work, mentor juniors, contribute to OST.
Own a service line (cloud / red team / OT), client relationships, recruiting, research output.
OSCP first — it teaches you to actually pen-test. Then CRT to unlock UK CHECK-scope work.
Senior testers with CREST CCT + a track record yes — £600–£1200/day. Junior freelancing is rare.
Automated tools (Pentera, Horizon3) replace baseline external testing but not red team, social engineering, or chained-exploit work — those are growing.
Build TTP-led muscle: rebuild the MITRE ATT&CK chain in your lab, contribute to open-source C2, run internal purple-team exercises. Then apply for red team specialist roles.
Get a personal gap report, AI Career Twin and practice keyed to your target band.