Skip to content

Don't know what to focus on to become a Penetration Tester..? This is the BEST roadmap for becoming a modern penetration tester. Everything you need to know to land a paying job, categorized in 5 skill levels.

Notifications You must be signed in to change notification settings

Kennyslaboratory/Ultimate-Hacker-Roadmap

Repository files navigation

The Ultimate Hacker Roadmap

Skill Levels

  • Clueless (Unhirable)

    • You really want a any job in IT but are unsure how to transition into an IT job from your current position.
    • You don't understand computing fundaments, code, networking, web technology, or how anything works beyond a very basic fundamental level.
    • Most technical things you've done are operating system installations, virus scans, and putting together a computer from scratch.
  • Newbie ($30k - $50k)

    • Already working as IT Support Specialist, IT Consultant, PC Repair Technician, etc.
    • Start here if you are not yet a penetration tester!
    • Can troubleshoot PC problems, backup data, run RJ45 cables, and fix issues with email clients such as Outlook.
    • You might understand a little bit about the Linux CLI, basic BASH Scripting, etc.
    • You will struggle but can likely code your own static Website using HTML, CSS, and some JavaScript.
    • Understands how to troubleshoot computer and network issues.
    • May have an idea or recently discovered the OWASP Top 10, and maybe they've done a few walkthroughs regarding SQL Injection, XSS, and CSRF.
    • Gets the gist of encryption but doesn't understand it fully. "It has keys and stuff..?"
    • Understands the CIA Triad, generally understands the differences between encryption, hashing, and encoding.
    • Mr. Robot is your favorite TV Series.
  • Associate ($80k - $90k)

    • Associate Security Consultant, Junior-Level Penetration Tester
    • Understands the OWASP Top 10 and probably recently learned about CORS, OOB-XXE, JWT bugs, Cache Poisoning, OAuth2, and NoSQL Databases.
    • Can do basic code review, but will likely struggle to find more granular vulnerabilities that require fuzzing and advanced debugging.
    • Can build basic tools with Sockets, Regular Expressions, Web Scrapping Libraries, etc.
    • You've played with Web Frameworks and MVC Web Applications. You are fluent in HTML, CSS, and JavaScript.
    • Proficient with web technologies, understands low-level networking, and is in the process of learning Memory Management in C/C++ and Assembly.
    • Can do a basic stack-based buffer overflow CTF, but will likely fail to bypass DEP, ASLR, etc.
    • May know a slight amount about Mobile Technology but not enough to do a security assessment.
    • Can be hired as a security professional and work professionally but will likely need to be supervised.
    • Might get stumped when trying to bypass certain protections such as firewalls, Content Security Policy, etc.
  • Mid-Level ($95k - $120k)

    • Security Consultant, Security Engineer, Penetration Tester
    • Can perform code review and work alone in most cases.
    • Proficient enough to work full-time remotely, requires very little oversight.
    • Understands "The Big 4" - Web Applications, Binary Exploitation, Mobile Applications, and Network-Based Attacks.
    • Understands how to Fuzz an application, Heap Spray, do Power Analysis, and enumerate more granular vulnerabilities like Race Conditions, etc.
    • Can build a basic application using services from cloud providers. (AWS, GCP, Azure).
    • Understands how to bypass most protections effectively.
    • Routinely challenges themselves with more complicated CTFs, Labs, and Projects.
    • Can likely develop their own malware or at least script enough to exfilrate the data they want.
    • Enough knowledge to write a fairly useful guide or book on penetration testing.
  • Senior ($120k+)

    • Senior Security Consultant, Senior Security Engineer, etc.
    • Works very close to the metal.
    • Has attended their fair share of hacker conventions and conferences.
    • Can bypass modern binary protection mechanisms such as DEP, ASLR, Canaries, CFI, Isolated Heaps, etc.
    • Has specialized knowledge in specific technologies. (Vehicles, IoT Devices, Firmware, etc)
    • Can be found writing papers and providing talks at hacker conventions.
    • May have knowledge in Malware Analysis and deobfuscating hardened malware.

    Overview of IT Certifications

    certs

About

Don't know what to focus on to become a Penetration Tester..? This is the BEST roadmap for becoming a modern penetration tester. Everything you need to know to land a paying job, categorized in 5 skill levels.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published