You want to get paid to hack. To think like an attacker, find the vulnerabilities that defenders missed, and hand over a report that actually makes organisations safer. Good news: that is a real job, it pays well, and the demand for people who can do it is growing fast.
Salaries range from $70,000 to $150,000 depending on experience and location, and the global penetration testing market is projected to expand by more than 24% through 2026. The opportunity is there. The question is how to get ready for it.
Here is the honest roadmap.
What the Job Actually Looks Like
Let's clear something up first. Penetration testing is not a lone hacker typing furiously in a dark room. It is a structured, methodical discipline. Understanding the shape of it is what makes your preparation focused rather than scattered.
Every engagement follows the same lifecycle. You agree the scope with the client. You map the attack surface through reconnaissance and enumeration. You identify what is exploitable. You exploit it, capture evidence, and document impact. Then you write the report.
That last part is the one most beginners underestimate. The report is what the client pays for. A technically brilliant tester who cannot communicate findings clearly is less valuable than one who can. Keep that in mind from day one.
Build in Layers, Not All at Once
Penetration testing skills stack. Try to learn everything at once and nothing sticks. Build in layers and each one makes the next one faster.
Layer 1: Foundations
Networking, Linux, Windows, scripting. This is the vocabulary. Without it, techniques are just steps to memorise rather than concepts you understand. Know how Kerberos authentication works before you attempt Kerberoasting. Know how web apps handle database queries before you attempt SQL injection.
TryHackMe's Pre Security path and Cyber Security 101 path are built for exactly this moment. Four to six weeks here sets you up for everything that follows.
Layer 2: Offensive fundamentals
Three domains cover the majority of real engagement work. Web application testing with Burp Suite, OWASP Top 10, and manual exploitation. Network penetration with Nmap, service exploitation, and privilege escalation. Active Directory attacks with BloodHound, Kerberoasting, and Pass-the-Hash.
The Jr Penetration Tester path covers all three in sequence. Guided rooms that explain the technique then drop you in a live environment to apply it. Work through the full path and your public profile tells the story: hundreds of hours of documented, hands-on offensive security practice. That profile is evidence. Use it.
Layer 3: Methodology and reporting
Knowing techniques is not enough. Real engagement work requires structure: enumerate before you exploit, document as you go, understand what your access enables before moving on, and build findings into a report clients can act on.
This is exactly what the PT1 certification tests. A 48-hour practical exam across web, network, and Active Directory targets with a graded professional report as a core component. Pass PT1 and you have proved you can run a structured engagement, not just exploit a vulnerability.
Layer 4: Specialise
Cloud, red team operations, mobile, AI security, hardware and IoT. Specialisation comes after you have a solid generalist foundation and a first role. Not before. Unlock this layer once you are in the game.
The Certs That Open Doors
PT1 is your first target. It maps directly to the Jr Penetration Tester path, is recognised at junior level, and gives you a graded professional report as part of the assessment. Premium subscribers get a 15% discount.
OSCP is the gold standard. It appears in more penetration testing job postings than any other certification. A 24-hour practical exam, a professional report, and a reputation the industry respects. This is not a starting point. It is the target you work toward after PT1, once your offensive fundamentals are battle-tested.
eJPT is worth considering if you want an early credential while building toward PT1. Less rigorous but a solid structured starting point and something concrete to show employers while you are still levelling up.
Your Month-by-Month Roadmap
Stop wondering where to start. Here it is.
Months 1 to 2: Pre Security and Cyber Security 101 paths on TryHackMe. Get comfortable with Linux, networking, and the command line. Do not skip this stage. The foundations are what make every technique click when you reach Layer 2.
Months 3 to 5: Start the Jr Penetration Tester path. Work through web, network, and Active Directory in sequence. Treat every room as a writeup opportunity: document what you found, what tools you used, what the technique exploits. Publish on GitHub. This is your portfolio building in real time.
Months 5 to 7: Complete the Jr Penetration Tester path and sit PT1. By now your TryHackMe profile should show consistent activity across hundreds of rooms, your writeup folder should have ten or more documented challenges, and PT1 validates the whole stack. That combination is a genuinely compelling entry-level portfolio.
Months 7 to 12: Start applying. Begin OSCP preparation in parallel. Move from guided rooms to unguided machines. The gap between "I can follow a room" and "I can root a machine without hints" is where real penetration testing capability lives. Close it with deliberate, unguided practice.
What the Market Looks Like
The numbers are worth knowing. Entry-level penetration testers earn around $90,500 on average in the US, with junior roles at one to three years averaging $100,500. PayScale puts the entry-level figure at $72,823 based on reported salaries, rising to $96,429 at one to four years of experience. The range is wide because location, employer type, and specialisation all move the number significantly.
The market at entry level is competitive but not closed. Penetration testers are evaluated on OWASP, Metasploit, Burp Suite, and Nmap proficiency, and on MITRE ATT&CK knowledge for designing realistic attack scenarios. Candidates who demonstrate these skills with documented evidence rather than claimed knowledge are the ones who get through technical screens.
Mistakes That Cost You Time
Aiming for pentesting before building foundations. SOC Tier 1 analyst is a faster first move for most people. Get hired, build operational security experience, then transition into penetration testing. It is a well-trodden path and it works.
Staying in guided environments too long. Guided rooms build technique familiarity. Unguided machines build problem-solving ability. You need both. Most people spend too long in the guided stage before they push into the harder stuff.
Neglecting reporting. Exploit screenshots without written findings do not demonstrate professional readiness. Every machine you compromise is a chance to write a professional-style finding. The candidates who include sample reports in their applications stand out immediately.
Waiting for OSCP before applying. PT1 plus a strong portfolio plus consistent documented lab work is enough to get into a junior role. Do not wait. Apply. OSCP is the goal for your first year in the role, not the gate you need to pass to get there.
Your Next Challenge Starts Here
The Jr Penetration Tester path is the most structured route from beginner to job-ready offensive security skill. Work through it. Document everything. Earn PT1. Build a portfolio that speaks for itself.
Crack your first room. Root your first machine. Level up.
Nick O'Grady