Penetration Tester Salary: What $112,200 Actually Means for Your Career

The median penetration tester salary in the US sits at $112,200. That number looks clean on a job board. It feels like an answer. It isn't. It's a starting point for a conversation about what you're actually worth, what's holding you back from the top of the range, and whether the market right now rewards the skills you're building.

This analysis cross-references BLS compensation data with MITRE ATT&CK technique mappings, O*NET skill profiles, and community response data from working penetration testers. The goal isn't to make you feel good about a number. It's to help you use that number.

---

Where $112,200 Actually Lands You

Before you decide whether that median is good, run the math on where you'd live.

In San Francisco, $112,200 after federal and California state taxes leaves you roughly $75,000 take-home. Median one-bedroom rent runs $2,800-3,200/month. That's $33,600-$38,400 in rent alone, leaving you $36,000-$41,000 for everything else. You're not struggling, but you're not comfortable either. You're watching your spending.

In Austin, the same gross salary clears closer to $81,000 after federal taxes (no state income tax). A one-bedroom runs $1,400-1,800/month. You keep $60,000+ after rent. That's a materially different life on identical pay.

In Columbus, Cincinnati, or Kansas City, $112,200 is genuinely strong compensation. Rent for a solid one-bedroom runs $900-1,200/month. You're building savings, not just surviving.

The point isn't that you should move to Ohio. The point is that the median number is meaningless without geography. A pen tester earning $95,000 in Tulsa has more financial breathing room than one earning $130,000 in Seattle. When you're evaluating offers, convert everything to purchasing power, not gross salary.

Remote work changed this calculus significantly. US companies increasingly hire pen testers who work fully remote, which means you can capture a coastal salary while paying Midwest rent. That arbitrage is real and it's one of the strongest financial arguments for building pen test skills right now.

---

The Role Hierarchy: Where Pen Testing Sits

Pen testing at $112,200 median sits in a specific band of the security compensation structure. Here's how it compares to adjacent roles:

Role	Median Salary
CISO	$232,000
Security Architect	$158,600
Security Engineer	$124,900
Penetration Tester	$112,200
Threat Intelligence Analyst	$110,800
Incident Responder	$105,300
SOC Analyst	$87,400
GRC Analyst	$82,500

Pen testing pays 28% more than the SOC analyst median and 36% more than the median US worker. You're not in the top tier of security compensation, but you're well above the field's floor.

The more interesting comparison is against Security Engineer at $124,900. That $12,700 gap reflects something real: security engineers often own production systems, carry on-call responsibilities, and hold architectural accountability. Pen testers deliver findings. Engineers implement fixes. The market prices accountability higher than expertise, which is a negotiation insight we'll return to.

The gap between pen testing and Security Architect ($158,600) is where career trajectory matters. Many senior pen testers transition into architecture roles, bringing offensive knowledge into defensive design. That transition is worth roughly $46,000 in median salary. If you're three to five years into pen testing and wondering what's next, that path has a clear financial signal attached to it.

---

What Actually Drives the Salary Range

The median is $112,200, but pen testers are earning anywhere from $75,000 to $180,000+. That spread isn't random. Four factors explain most of it.

Clearance status is the single biggest lever. A pen tester with an active TS/SCI clearance working for a defense contractor or federal agency routinely earns $140,000-$175,000 for work that a non-cleared peer does for $95,000-$110,000. The clearance itself is the premium, not the skill differential. If you're a US citizen with a clean background and you're not pursuing a clearance, you're leaving a significant amount of money on the table. The investigation takes 6-18 months. Start the process before you need it.

Specialization separates mid-range earners from top earners. A generalist pen tester who runs Nessus scans and produces templated reports is a commodity. A tester who specializes in OT/ICS environments, cloud infrastructure (AWS/Azure/GCP), or mobile application security commands a premium because the talent pool is genuinely thin. Red teamers who can simulate APT behavior using MITRE ATT&CK TTPs, operate C2 infrastructure, and write custom tooling to evade EDR solutions like CrowdStrike Falcon or SentinelOne are not commodities. They're rare.

Certifications signal specialization credibly. The OSCP (Offensive Security Certified Professional) is the baseline credential the market actually respects. It's a 24-hour hands-on exam. You either exploit the machines or you don't. There's no multiple choice. Employers know this, which is why OSCP holders consistently report $10,000-$20,000 salary premiums over peers without it. OSEP (Offensive Security Experienced Penetration Tester) and OSED push that premium further. GPEN and GWAPT from GIAC carry weight in enterprise environments. CEH gets you past HR filters but doesn't impress practitioners.

Industry vertical matters more than most pen testers realize. Financial services and healthcare organizations pay a premium because their regulatory exposure is severe. A pen test finding at a bank isn't just a technical issue, it's a potential OCC or FDIC conversation. A finding at a hospital touches HIPAA liability. That regulatory weight translates into budget, which translates into compensation. Defense, critical infrastructure, and fintech consistently pay above the median. Retail and hospitality consistently pay below it.

---

The Cert-Experience Catch-22 in Pen Testing

Gerald Auger frames the central problem of breaking into cybersecurity precisely: "How do you get experience without a job, but how do you get a job without experience?" Pen testing has its own version of this, and it's sharper than most roles.

Every entry-level pen test posting wants two to three years of experience. You have zero. The OSCP proves you can execute, but many firms won't hire you for a client-facing engagement without prior professional experience. It's circular.

The paths that actually break the cycle:

Bug bounty programs on HackerOne and Bugcrowd give you real findings against real production systems. A disclosed CVE or a hall-of-fame mention is professional experience, regardless of whether you were employed when you found it. Employers know this.

Internal red team roles at large enterprises are often more accessible than consulting positions. You're not client-facing, the scope is controlled, and the firm can mentor you. The pay is slightly lower than consulting, but you're building the resume line that unlocks consulting later.

SOC analyst experience translates directly. Two years of alert triage, incident response, and threat hunting gives you the defensive context that makes you a better attacker. Many of the best pen testers came through blue team roles first. The path isn't a detour. It's preparation.

CTF performance on platforms like HackTheBox and TryHackMe, combined with a documented home lab, gives you something to show in technical interviews. Not as a substitute for experience, but as evidence that you can think offensively. A GitHub repo with custom scripts, a write-up of a retired HTB machine, or a documented lab exercise using BloodHound for AD enumeration tells a hiring manager something a resume bullet point can't.

---

Negotiation Leverage: Specific Points for Your Next Conversation

The median is $112,200. Here's how you argue for more than that.

Scope complexity is billable. If the engagement involves Active Directory environments, cloud infrastructure, or OT systems, that's not standard pen testing. It requires specific tooling knowledge (BloodHound, Impacket, Cobalt Strike simulation, cloud-native attack paths) and carries higher liability. Name the complexity explicitly in salary conversations. "This role includes cloud pen testing across AWS and Azure environments. That's a specialization that commands a premium in the market."

Report quality is underpriced. Most pen testers can find vulnerabilities. Fewer can write a finding that a CISO can take to the board and a developer can act on immediately. If you can demonstrate strong technical writing, you're solving a problem that firms consistently struggle with. Bring samples. Quantify the value: "A well-written report reduces remediation time and client callbacks. That's billable hours saved."

Clearance is a hard asset. If you hold an active clearance, state it plainly and early. "My TS/SCI is active and adjudicated. Replacing that takes 12-18 months and costs the firm $5,000-$15,000 in processing. That's part of my value." This isn't aggressive. It's accurate.

Certifications have a market rate. OSCP holders earn $10,000-$20,000 more than peers without it, consistently. If you have OSCP plus a specialization cert (OSEP, GWAPT, eWPTX), you're not asking for a premium. You're asking for the market rate for your credential stack.

Counter with total compensation, not just base. Training budget, conference attendance (DEF CON, Black Hat), lab access, and certification reimbursement have real dollar values. A firm offering $105,000 base with $5,000 training budget and full cert reimbursement is offering more than a firm at $112,000 with nothing. Do the math out loud in the negotiation.

---

Global Market Context: London, Toronto, and Remote-for-LATAM

The $112,200 US median doesn't translate directly to other markets, but the demand signal does.

In London, senior penetration testers earn £55,000-£85,000 ($68,000-$105,000 USD at current rates). The CHECK scheme, run by NCSC, is the UK's government-backed pen testing certification framework. CHECK Team Leader status is the UK equivalent of having your OSCP plus a clearance in terms of market premium. If you're working in the UK market, CHECK status is the credential conversation to have.

In Toronto and broader Canada, pen testers earn CAD $85,000-$130,000 ($62,000-$95,000 USD). The market is smaller but growing, particularly in financial services concentrated in Toronto and government work in Ottawa. Canadian firms increasingly accept US certifications (OSCP, GPEN) without requiring local equivalents.

The LATAM market is a different story. Local pen testing salaries in Brazil, Mexico, Colombia, and Argentina range from $20,000-$50,000 USD equivalent, which reflects local purchasing power rather than skill deficits. Demand is growing at roughly 53% year-over-year across the region, driven by financial sector digitization and increasing regulatory requirements. Spanish-language cybersecurity career resources are nearly nonexistent, which creates real opportunity for bilingual professionals who can bridge US methodology with LATAM market needs.

The remote arbitrage angle is significant here. US consulting firms and enterprises are actively hiring LATAM-based pen testers at $40,000-$65,000 USD, which is top-tier compensation locally and a cost savings for the employer. If you're in LATAM with OSCP and strong English, you're not competing in a local market. You're competing in a global one, and the gap between your local market rate and what a US firm will pay you is substantial.

---

Is the Market Accelerating or Flattening?

The honest answer is that pen testing compensation has been relatively stable over the past two years after a significant run-up during 2020-2022. The frenzied salary inflation of that period has cooled. That's not a warning sign. It's normalization.

What's changing is the nature of the work. AI-assisted vulnerability discovery is compressing the time required for certain assessment types, which puts pressure on firms that compete purely on volume. A pen tester who runs automated scans and produces templated reports is increasingly competing with tooling. A pen tester who can simulate sophisticated threat actor behavior, chain vulnerabilities into realistic attack paths, and communicate findings at the executive level is not.

The ISC2 2025 Workforce Study continues to report critical skills gaps across offensive security roles. CyberSeek data shows pen testing and red team positions among the hardest to fill in the security workforce. That supply constraint is a floor under compensation, even if the ceiling isn't rising as fast as it was.

The roles that are seeing accelerating demand right now are cloud pen testing, AI/ML system security assessment, and OT/ICS red teaming. These aren't niche specializations anymore. They're where the budget is moving. If you're building skills in 2025, those three areas have the clearest compensation upside over the next three to five years.

---

The Bottom Line on $112,200

The median is a reasonable anchor for a mid-level pen tester with two to four years of experience, OSCP, and no clearance working in a non-specialized vertical. It's the floor for someone with a clearance, a cloud or OT specialization, and five-plus years of professional engagements. It's the ceiling for someone who just passed their CEH and is running automated scans.

Where you fall in that range is a function of decisions you make before the negotiation starts: which certifications you pursue, which specializations you build, whether you pursue a clearance, and whether you develop the communication skills to translate technical findings into business risk.

The market right now has 514,000 open cybersecurity positions according to BLS data, and pen testing roles are among the hardest to fill. That's not a guarantee of employment. It's a signal that the skills gap is real and that people who close it get paid accordingly.

Your next move is deciding which part of that gap you're going to fill.

---

This analysis was produced using the CyberPathIQ Methodology, designed by Julian Calvo, Ed.D. (Learning Sciences). It cross-references real-time labor market data from the Bureau of Labor Statistics, threat intelligence frameworks from MITRE ATT&CK, occupational skill profiles from ONET, and community response data from cybersecurity professionals currently in these roles.*