How to Start a Career in Penetration Testing From Scratch

You don't need a computer science degree or years of sysadmin work to become a pentester. You do need a relentless curiosity about how things break — and the discipline to fix them before bad guys do.

The field is overflowing with bootcamps, certs, and "ethical hacker" courses. Some are gold. Most are noise. Here's the direct path from zero to landing your first penetration testing job.

Get the Core Technical Foundation First

Before you touch a single command, understand how the internet works at a low level. You can't hack what you don't understand.

Networking is non-negotiable

• TCP/IP stack — know how a three-way handshake works, not just the name
• Subnetting, DNS, HTTP/HTTPS — you'll see them in every engagement
• Wireshark — spend a weekend capturing traffic and reading packets. It's the best debugging tool you'll ever use

Linux is your operating system

• Set up a home lab with VirtualBox or VMware
• Install Kali Linux, Ubuntu Server, and a Windows VM
• Learn to navigate entirely by command line: grep, awk, sed, find, netstat
• Write bash scripts to automate repetitive tasks

One solid goal: be able to set up a fully patched Linux server from scratch without a graphical interface.

The Three Tools You Must Master First

Avoid the trap of collecting 200 hacking tools. You'll use three constantly.

1. nmap — port scanning is the first step in almost every test. Learn every flag, output format, and scripting engine option
2. Burp Suite (Community Edition is fine) — intercept, modify, replay, and fuzz HTTP traffic
3. Metasploit — not as a "point and root" toy, but to understand exploit structure and payload generation

Practice these until you can explain each flag or option without looking at help text.

Build a Home Lab That Hurts

Don't just download vulnerable VMs and run default exploits. That teaches nothing.

Set up: - A Windows domain controller with Active Directory - A Linux web server running a custom PHP application - A firewall between them with strict rules

Now try to pivot from the web server to the domain controller. That's real pentesting.

Free resources to populate your lab: - VulnHub — complete vulnerable machines - Hack The Box — retired machines are still excellent - TryHackMe — guided paths for beginners

Progress from "I got root" to "I fully documented my attack chain with screenshots and mitigation recommendations."

Learn to Actually Report Findings

Most pentesters fail interviews not because they can't exploit a box — but because they can't communicate the risk to a non-technical CISO.

Write one real penetration test report. - Executive summary (2 paragraphs max) - Technical findings (CVSS score, proof of concept, reproduction steps, remediation) - Appendices (tools used, methodology, scope)

Use a template from Offensive Security or SANS. Then have a mentor tear it apart.

Certifications That Matter (In Order)

Your first cert should demonstrate hands-on ability, not multiple choice recall.

1. OSCP (Offensive Security Certified Professional) — the gold standard. 24-hour exam, actual exploitation
2. PNPT (Practical Network Penetration Tester) — newer, more modern scope, includes AD attacks
3. eJPT (eLearnSecurity Junior Penetration Tester) — good stepping stone before OSCP

Skip CEH. It's expensive, mostly theoretical, and few hiring managers prioritize it over a solid GitHub portfolio.

Build a Portfolio That Gets You Hired

GitHub is your resume. Recruiters will look at your repos before your LinkedIn.

Create: - A custom scanner for a specific vulnerability (e.g., local file inclusion detector) - A full penetration test report from your home lab - A tool that automates a tedious part of reconnaissance

Contribute to: - PayloadsAllTheThings — fix or add payloads - Nmap scripts — write one custom NSE script

The Real Path to First Job

Most people try to apply to "Penetration Tester" roles cold and get rejected. Instead:

1. Get a SOC analyst role — you'll see real attacks, learn incident response, and build relationships with senior testers
2. Bug bounty in your spare time — HackerOne or Bugcrowd. Even $100 bounties prove you can find real vulnerabilities
3. Network at local security meetups — InfraGard, OWASP chapter meetings, security conferences. Most pentesting jobs are filled by referral

After 6–12 months of SOC work plus 50+ bounty reports, you'll have the experience to skip the "junior" title entirely.

What Most Courses Won't Tell You

• You'll fail exploits repeatedly. That's normal. Debugging is 80% of the job.
• Social engineering is part of every engagement. Learn to talk to people, not just computers.
• Burnout is real. Active testing 4 hours a day yields more than 10 hours of frustrated clicking.

You don't find pentesting — you build it, one shell and one botched privilege escalation at a time. The only shortcut is consistency.