Penetration tester job description template (and hiring tips)

Hack The Box (HTB) helps hundreds of organizations tap into a global talent pool of over 200,000 infosec professionals. So it’s fair to say we know a thing or two about sourcing, assessing, and recruiting cybersecurity talent! 

If you’re hiring for a penetration testing role and want a job description template to inspire your next job ad, this post has got you covered. In addition to the sample job description, we’ve featured unique insights from our community and staff on how to identify what we (and many others in the cybersecurity community) consider a critical ability when hiring cybersecurity professionals:

The ability to think outside the box. 

Recommended read: Active directory cheatsheet and pentesting guide. 

Penetration tester job description

Overview 

We’re excited to share a highly rewarding and hands-on opportunity for a skilled and experienced Penetration Tester to join our growing team. As part of our team, you will be responsible for conducting penetration tests, vulnerability assessments, and reporting findings to help detect legacy and bleeding-edge security vulnerabilities in enterprise environments. 

You should have a firm grasp of networking, system administration, and web application security. The ability to think outside the box and go beyond conventional attack paths and exploits is highly valued by our team.

 

Duties and responsibilities

• Scope and perform penetration testing and vulnerability research of complex proprietary software and hardware for client services.

• Identify and assess vulnerabilities in systems and applications. This includes utilizing manual and automated testing methods to find and exploit code flaws, misconfigurations, and insecure software. 

• Keep cybersecurity training and knowledge current by monitoring the latest security threats and vulnerabilities.

• Write clear and concise penetration testing reports detailing findings and recommendations.

• Provide recommendations for remediation of identified vulnerabilities.

• Occasionally join senior leaders or stakeholders on client kick-off and discovery sessions to answer questions from prospects and clients. 

Requirements

• Strong knowledge of various operating systems and networks, especially experience with Linux, Windows, and Active Directory.

• Proficiency in a programming language such as Python, JavaScript, or C++.

• Experience with penetration testing tools and frameworks such as Metasploit, Nmap, and Nessus.

• Knowledge of web application security, including experience with web application scanners and manual testing techniques.

• Experience with a variety of security tools and techniques and the ability to write scripts to automate tasks.

• Strong communication and report-writing skills.

• A degree or one recognized certification such as the CPTS penetration testing certification, CompTIA PenTest+, or OSCP is ideal but not necessary.

• Experience with cloud and container technologies like AWS, Azure, and Kubernetes is a plus.

Above all, hands-on experience and a strong track record of successfully identifying and exploiting vulnerabilities are what we’re looking for in a Penetration Tester. 

Bonus points for:

1. A Hack The Box profile

2. Any Bug Bounty profile

3. A GitHub link

4. Personal blogs

5. Record of participation in CTF events

Benefits

• A competitive annual salary (dependent on experience)

• Annual company and performance-based bonus

• Contributory pension scheme (up to 10% employer contributions)

• A monthly commitment of at least 10 hours for your continuing professional development. 

• Paid access to training platforms such as Hack The Box to support upskilling.

• Flexible career paths and certification support.

• Company healthcare plan 

• 28 days annual leave plus public holidays

For more examples of active penetration testing job descriptions, browse the job portal on our app. If you’re not a member, you can sign up for free. 

Identifying security professionals that can think outside the box: 3 key interview questions

1. What’s your take on problem-solving. Is it something you enjoy? 

This question goes beyond a candidate's education and explores their passion and attitude for problem-solving.

A college or recognized training certification certainly helps a candidate acquire the knowledge, skills, and abilities required to work as a pentester; but a great hacker is a tenacious problem solver. One with the grit to dig deep into the root of a problem and creatively think outside the box. 

 

 Ben Rollin, Head of Training Development, Hack The Box

2. How would you approach a web application with no credentials?

This question allows the candidate to respond with an answer that shares their creativity and ability to think outside the box. 

To defend against an attacker, a candidate needs to be able to think and act like one. This demands the ability to understand, but also think beyond routine practices like scanning for known vulnerabilities. When assessing candidates, it means the ideal pentester should be able to approach a web application with no credentials and understand how to begin profiling it to plan their attacks. Cultivating this persistent creativity that’s critical to cybersecurity is why our CEO created Hack The Box:

As a former ethical hacker, I have learned new techniques from hands-on experience as well as taking part in, and winning, hacking competitions. I know that to be successful, you need to think outside of the box and develop a mindset rather than just a list of qualifications. But I also realized that there was a lack of training for these unique skills, so I created Hack The Box

 

 Haris Pylarinos, CEO, Hack The Box 

3. Do you participate in any CTFs or extracurricular activities related to cybersecurity? 

With so much rapid change in the cybersecurity industry, continuous learning via extracurricular activities is expected among all good penetration testers. It’s a trait that any savvy recruiter or hiring manager should look out for. In our interview with Jeremy Chisamore, a Senior Penetration Tester at Oracle, he, shares "how matching formal qualifications and CVs to on-the-job performance" is difficult, and that is why he values HTB activity on a resume when hiring junior penetration testers; it proves a level of technical competence. 

Related read: Best entry level cybersecurity jobs for aspiring hackers.

It’s hard to match formal qualifications and CVs to on-the-job performance. That’s why I pay attention to a candidate’s attitude and extracurricular activities. 

One example is HTB activity on a resume when hiring juniors. It shows that a candidate is deeply motivated and invested in developing their skills.

At Context Information Security (a former employer), for example, two juniors we hired were already active on HTB and it showed. They were extremely technically proficient and they passed the OSCP in approx 30 days. We were extremely impressed with them. 

 

 Jeremy Chisamore, Senior Penetration Tester, Oracle 

Hire for cybersecurity positions with HTB

Companies like Amazon Web Services, NTT, Verizon, Daimler, DAZN, and Context Information Security (which saved nearly $8,000 in potential agency recruitment fees) use Hack The Box to optimize cybersecurity recruitment by directly accessing skilled security professionals. 

Explore Talent Search 

Author bio: Hassan Ud-deen (hassassin), Content Marketing Manager, Hack The Box Hassan Ud-deen is the Content Marketing Manager at Hack The Box. Combining thought leadership and SEO to fuel demand generation is his jam. Hassan's also fascinated by cybersecurity, enjoys interviewing tech professionals, and when the mood strikes him occasionally tinkers within a Linux terminal in a dark room with his (HTB) hoodie on. #noob. Feel free to connect with him on LinkedIn.