Penetration Testers
15-1299.04
Evaluate network system security by conducting simulated internal and external cyberattacks using adversary tools and techniques. Attempt to breach and exploit critical systems and gain access to sensitive information to assess system security.
Sample of reported job titles: Application Security Assessor, Application Security Hacker, Application Security Tester, Certified Hacker, Certified Tester, Consulting Advisory Tester, Cyber Assessment Tester, Cyber Assessor, Cyber Security Engineer, Cyber Security Tester, Cyber Tester, Cybersecurity Engineer (Cyber Engineer), Embedded Tester, Forensic Analysis Tester, Hacker, Hardware Hacker, Information Security Analyst, Information Security Assessor, IT Security Tester (Information Technology Security Tester), Network Security Engineer, Network Security Tester, Penetration Tester, Penetration Testing Consultant, Risk Tester, Security Application Tester, Security Architect, Security Assessment Tester, Security Automation Tester, Security Consultant, Security Consulting Tester, Security Engineer, Security Tester, Systems Security Tester, Tester, Vulnerability Analyst, Vulnerability Assessment Analyst
Occupation-Specific Information
Tasks
- Assess the physical security of servers, systems, or network devices to identify vulnerability to temperature, vandalism, or natural disasters.
- Collect stakeholder data to evaluate risk and to develop mitigation strategies.
- Conduct network and security system audits, using established criteria.
- Configure information systems to incorporate principles of least functionality and least access.
- Design security solutions to address known device vulnerabilities.
- Develop and execute tests that simulate the techniques of known cyber threat actors.
- Develop infiltration tests that exploit device vulnerabilities.
- Develop presentations on threat intelligence.
- Develop security penetration testing processes, such as wireless, data networks, and telecommunication security tests.
- Discuss security solutions with information technology teams or management.
- Document penetration test findings.
- Evaluate vulnerability assessments of local computing environments, networks, infrastructures, or enclave boundaries.
- Gather cyber intelligence to identify vulnerabilities.
- Identify new threat tactics, techniques, or procedures used by cyber threat actors.
- Identify security system weaknesses, using penetration tests.
- Investigate security incidents, using computer forensics, network forensics, root cause analysis, or malware analysis.
- Keep up with new penetration testing tools and methods.
- Maintain up-to-date knowledge of hacking trends.
- Prepare and submit reports describing the results of security fixes.
- Test the security of systems by attempting to gain access to networks, Web-based applications, or computers.
- Update corporate policies to improve cyber security.
- Write audit reports to communicate technical and procedural findings and recommend solutions.
Technology Skills
- Application server software - Docker 🔥; GitHub 🔥; Kubernetes 🔥
- Cloud-based management software - Google Cloud software
- Computer aided design CAD software - Ghidra
- Configuration management software - IBM Terraform 🔥
- Data base management system software - Database management systems
-
Data base user interface and query software -
Amazon Web Services AWS software
; Microsoft SQL Server 🔥; Structured query language SQL 🔥
-
Development environment software -
C ; Go ; Microsoft Azure DevOps Services; Microsoft Azure software ; Microsoft PowerShell ; Microsoft Visual Basic Scripting Edition VBScript; Oracle Java 2 Platform Enterprise Edition J2EE 🔥; Ruby ; Rust programming language; Software development tools; Software libraries; Web application software
- Enterprise resource planning ERP software - Management information systems MIS
- Enterprise system management software - Splunk Enterprise 🔥
- Expert system software - Ansible software 🔥
- Internet directory services software - Microsoft Active Directory 🔥
- Network monitoring software - IBM QRadar SIEM; Wireshark
- Network security and virtual private network VPN equipment software - Firewall software
-
Object or component oriented development software -
C# ; C++ ; Objective C 🔥; Oracle Java ; Perl ; Python
- Office suite software - Microsoft Office software 🔥
-
Operating system software -
Apple iOS ; Apple macOS 🔥; Bash ; Google Android ; Linux ; Magellan Firmware; Operating system software; Shell script 🔥; UNIX
- Program testing software - Kali Linux; MITRE ATT&CK software; System testing software
- Spreadsheet software - Microsoft Excel 🔥
- Transaction security and virus protection software - HP WebInspect; Invicti Acunetix; Metasploit; Nmap; Portswigger BurP Suite; Rapid7 Nexpose; Tenable Nessus
- Transaction server software - IBM Middleware; Web server software
-
Web platform development software -
JavaScript ; Microsoft Active Server Pages ASP 🔥; PHP 🔥; RESTful API; Security assertion markup language SAML
Occupational Requirements
Work Activities
Detailed Work Activities
- Evaluate characteristics of equipment or systems.
- Analyze risks to minimize losses or damages.
- Analyze security of systems, network, or data.
- Develop computer or information systems.
- Develop computer or information security policies or procedures.
- Test performance of electrical, electronic, mechanical, or integrated systems or equipment.
- Develop testing routines or procedures.
- Prepare scientific or technical reports or presentations.
- Discuss design or technical features of products or services with technical personnel.
- Prepare technical or operational reports.
- Interpret design or operational test results.
- Search files, databases or reference materials to obtain needed information.
- Investigate illegal or suspicious activities.
- Examine records or other types of data to investigate criminal activities.
- Stay informed about current developments in field of specialization.
- Test computer system operations to ensure proper functioning.
- Develop organizational policies or programs.
- Prepare analytical reports.