Pen testers from Germany and Europe please infos

Hello guys, I am am on my way to OSCP and I am planing to switch my current job(not IT related) to penetration tester, I just love it and planing a lot of certificates.
My question is about the job itself and the money. I do not know anyone who is in this field in Germany or don't know someone who knows someone :-)

So I would really like if people could share here or DM, please. How is the job like, do you work remote, how much you work on a daily basis, how is one working day look like, etc.

I know you will all say "the money depends from your experience, company, certificates, knowledge, etc...) I get that. But if I get infos from 3-4 people I can make an estimate in my head. Please DM.

It would really help me to get some realistic point of view.

Thanks in advance.

«1

Comments

  • Thanks @Anonymus for sharing this post. Exactly the same info which i was also looking for.

    I am currently trying to switch my job from 3.5 years of pentesting and red teaming.

    Would appreciate the community can help us here.

  • Hi there.

    As already mentioned else-where, I am a penetration tester (and forensicator) in Germany. First off: I obviously can't speak about salary, but I found the following (German) blog post quite accurate: https://www.prosec-networks.com/blog/der-job-als-penetration-tester/ Those figures are pre-tax, of course.

    The last paragraph of that blog is bollocks, in my experience, but it might be different in other companies.
    For me, there is no such thing as a typical day (usually), but rather a typical week. Most of the engagements last 1 or 2 weeks. Sometimes more. So, the usual weeks start with getting an overview on the test target, followed by (in my case) device or infrastructure tests (I don't like web, and IMO only know some basic stuff, there ^^ ) and trying to document/write the report along the way. But most of time I just take quick notes, and then spend 1-2 days with actually documenting results and writing the actual report. Long-lasting projects are rather rare, since customers usually want/need results by yesterday. So, for complex tests, several testers get thrown at the target, to keep test frames short (and customers happy).
    For me, switching to pentesting was making a profession from my passion. Of course, there are days you "hate" the job or certain tasks, but that's why it's a job. And in the end, you get paid for also doing the "less-enjoyable" stuff ;)


    Hack The Box
    GREM | OSCE | GASF | eJPT

  • If these are actually the salaries then it is very very sad... In USA is like $120.000 a year.

  • edited November 14

    HomeSen: What kind of vulnerabilities/results do you find typically? Is it just a scan stating this is an old version of bla bla which could be used by an adversary etc....? Or do you find something and priv esc, pivot and stuff like this?

    k4wld
    Discord: k4wld#5627

  • @k4wld said:

    HomeSen: What kind of vulnerabilities/results do you find typically? Is it just a scan stating this is an old version of bla bla which could be used by an adversary etc....? Or do you find something and priv esc, pivot and stuff like this?

    This depends on the actual engagement ;)
    Sometimes, customers just want (to pay for) simple vulnerability scans. But most of the times, they rather prefer an actual penetration test which can still involve running Nessus against the network (mostly to get a rough overview on larger networks), but also actively attacking devices and services, trying to escalate privileges and move from one host to the next :D


    Hack The Box
    GREM | OSCE | GASF | eJPT

  • edited November 15
    Are these salaries for real? I know electricians and UPS drivers who make more that this. Isn't Germany one of the richest Countries in the world?

    I really wonder if they make up the numbers for the staff they try to hire. :D Just joking..

    Hack The Box

  • Type your comment> @sparkla said:

    Are these salaries for real? I know electricians and UPS drivers who make more that this. Isn't Germany one of the richest Countries in the world?

    I really wonder if they make up the numbers for the staff they try to hire. :D Just joking..

    That is what I told in other post, I think on your subject, when I asked for 2500euros for Pentesting job in Berlin, they said that is even too much for Germany.

    I saw some job add for Cybersecurity team leader in Germany with 10+ experience they are giving 95k bruto per year which is ~5k neto per month.

  • I think I made close to this (the junior salaries from the link) in my best years as a freelancer. That was one of the reasons I switched to sec, cause I worked my a** off day and night and couldn't even afford a car or save some money for when I'm old.

    Now I worked my a** off even harder to get into sec and get my first cert. I would not work for this kind of money, who does this? How can it be that we work harder and smarter than anyone else and get offered such a sh*ty salary? Then why do this? Don't give me that "I love my job and do it for passion" again. There's thousands of doctors out there, they work day and night even harder than us, and I bet most are very passionate about saving lives. Yet I also bet if they got payed that little there wouldn't be so many doctors anymore. Are doctors earning as little in Germany? I think some German companies want to keep people small, keep them hustling so they don't act up and question things. Or maybe IT isn't going so well in Germany, heard that somewhere.

    Hack The Box

  • I just remembered, 20 years ago I started studying IT at university, the teachers told us we can expect around 100.000€ / per year when we're finished. That was twenty frakin years ago. :D

    Hack The Box

  • Type your comment> @sparkla said:

    Are these salaries for real? I know electricians and UPS drivers who make more that this. Isn't Germany one of the richest Countries in the world?

    I really wonder if they make up the numbers for the staff they try to hire. :D Just joking..

    I honestly think this is not true. If you go on some shitty work you are gonna earn more. Here is another link I found but it is also not encouraging.

    https://www.gehalt.de/beruf/penetration-tester

    I mean this is brutto and netto is maybe 4000 - 4500e, but this is also kind of small.

    @solid5n4k3 said:
    That is what I told in other post, I think on your subject, when I asked for 2500euros for Pentesting job in Berlin, they said that is even too much for Germany.

    I saw some job add for Cybersecurity team leader in Germany with 10+ experience they are giving 95k bruto per year which is ~5k neto per month.

    I honestly hope it is not like that. I have a friend working as a software developer in Switzerland, he is earning 120.000 a year. So I cant accept that Germany gives 4 times less for what we do or are gonna do. If you are from Serbia then you know that there is people in Serbia working as a software developers remote or for foreign companies earning 1500e + in Serbia, which is super good considering that the people are working for like 400e there. So something is wierd about that and unfortunately we dont have anyone who is gonna be honest and really say how it is...

    @sparkla said:
    I think I made close to this (the junior salaries from the link) in my best years as a freelancer. That was one of the reasons I switched to sec, cause I worked my a** off day and night and couldn't even afford a car or save some money for when I'm old.

    Now I worked my a** off even harder to get into sec and get my first cert. I would not work for this kind of money, who does this? How can it be that we work harder and smarter than anyone else and get offered such a sh*ty salary? Then why do this? Don't give me that "I love my job and do it for passion" again. There's thousands of doctors out there, they work day and night even harder than us, and I bet most are very passionate about saving lives. Yet I also bet if they got payed that little there wouldn't be so many doctors anymore. Are doctors earning as little in Germany? I think some German companies want to keep people small, keep them hustling so they don't act up and question things. Or maybe IT isn't going so well in Germany, heard that somewhere.

    You are absolutely 100% right. Germany will take as much as it can from you . It wants you to look small, it does not give a lot opportunities to be rich. I dont wanna start on this topic because Germany is always watching LOL
    Anyways back to the salary, I honestly hope it is not like that. But if it is I am not changing my job never ever. Pentesting is gonna be my last resort. But I wanna do the cert for myself because its fun and I already started lol

  • Type your comment> @Anonymus said:

    I honestly hope it is not like that. I have a friend working as a software developer in Switzerland, he is earning 120.000 a year. So I cant accept that Germany gives 4 times less for what we do or are gonna do. If you are from Serbia then you know that there is people in Serbia working as a software developers remote or for foreign companies earning 1500e + in Serbia, which is super good considering that the people are working for like 400e there. So something is wierd about that and unfortunately we dont have anyone who is gonna be honest and really say how it is...

    Yes I am from Serbia :D.
    That was my experience, I would also like it wasn't true.

    Swiss is 2-3 times more expensive then Germany, people living near the boarder goes to Germany to buy groceries.

  • So I've never worked as a pentester or in Germany so take anything I say here with that in mind.

    In the UK, most posts with "average salaries" are wildly inaccurate and cover an average between shockingly badly paid interns and senior directors. It's also pretty irrelevant if there isn't a job offering you that salary, it just makes you feel like you've been cheated or overpaid.

    Because it is a wildly moving target, for me the only way to get a feel is to search for the job adverts and see what people are willing to offer.

    Checking now, lots seem to show up with ranges like €50000 - 90000 per year which isn't really helpful for getting an idea of what is normal.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • I can say from experience, Switz isn't 2x more expensive than Germany. The reason why people on the border shop in the other country is for fun, to have a trip and a good time, some new foods and that stuff. It depends a little on current exchange rates, so yeah the Switz frank can buy a little more if shopping in a € country, but that's about like 5%. I've been to both Countries, but what is true is that lots of Germans try to work in Switz simply because the pay is better, and that is simply because Switz companies got more money than German.

    Hack The Box

  • Type your comment> @TazWake said:

    So I've never worked as a pentester or in Germany so take anything I say here with that in mind.

    In the UK, most posts with "average salaries" are wildly inaccurate and cover an average between shockingly badly paid interns and senior directors. It's also pretty irrelevant if there isn't a job offering you that salary, it just makes you feel like you've been cheated or overpaid.

    Because it is a wildly moving target, for me the only way to get a feel is to search for the job adverts and see what people are willing to offer.

    Checking now, lots seem to show up with ranges like €50000 - 90000 per year which isn't really helpful for getting an idea of what is normal.

    I think everything 7000e+ is ok. After Germany rips you off you end up with a decent salary :-)

  • Type your comment> @sparkla said:

    I can say from experience, Switz isn't 2x more expensive than Germany. The reason why people on the border shop in the other country is for fun, to have a trip and a good time, some new foods and that stuff. It depends a little on current exchange rates, so yeah the Switz frank can buy a little more if shopping in a € country, but that's about like 5%. I've been to both Countries, but what is true is that lots of Germans try to work in Switz simply because the pay is better, and that is simply because Switz companies got more money than German.

    And because taxes are smaller.

    This is just insane what Germany does:

    Income tax in Germany is progressive, starting at 1% and rising incrementally to 42% or for very high incomes, 45%. The tax rate of 42% applies to taxable income above €55,960 for 2019. As well as income tax, everyone has to pay solidarity tax (Solidaritätszuschlag or "Soli"), which is capped at 5.5% of income tax

    And in Switzerland is Personal Income Tax Rate is 40%.

    Germany does not allow you to be rich... Insane...

  • edited November 16
    I would be ok with lower pay, if the rest is ok. If I'm:
    - treated like a human being
    - respected for the amount of work I put into my education
    - allowed to work from home 100%
    - given an unlimited contract in terms of duration
    - offered real increments on salary (not like: "maybe in a few years you get 2 bags of potato chips extra")
    - getting flexibel working hours
    - receiving real benefits and incentives, like a good company car, and not a fkin bus ticket + access to the fruit flatrate (whenever I read that I run away instantly. It's like: "We totally care about your health and the environment" - Oh really? I'm fructose and bs intolerant)
    - having an interesting position according to my skills and chances to move up and not "Here's your junior assistant role in a cubicle, you also need to make all customer support and take care about monetizing your projects"
    - in a friendly working environment and not everyone elbowing the next guy from day one
    ... (yeah, there's a lot more like this)

    But still not for 25k after tax. :D

    Hack The Box

  • Type your comment> @Anonymus said:

    Hello guys, I am am on my way to OSCP and I am planing to switch my current job(not IT related) to penetration tester, I just love it and planing a lot of certificates.

    I'm in the same boat as you, so if you happen to be around Munich and you're looking for a study partner, send me a PM.

  • Type your comment> @sparkla said:

    I would be ok with lower pay, if the rest is ok. If I'm:

    • treated like a human being
    • respected for the amount of work I put into my education
    • allowed to work from home 100%
    • given an unlimited contract in terms of duration
    • offered real increments on salary (not like: "maybe in a few years you get 2 bags of potato chips extra")
    • getting flexibel working hours
    • receiving real benefits and incentives, like a good company car, and not a fkin bus ticket + access to the fruit flatrate (whenever I read that I run away instantly. It's like: "We totally care about your health and the environment" - Oh really? I'm fructose and bs intolerant)
    • having an interesting position according to my skills and chances to move up and not "Here's your junior assistant role in a cubicle, you also need to make all customer support and take care about monetizing your projects"
    • in a friendly working environment and not everyone elbowing the next guy from day one
      ... (yeah, there's a lot more like this)

    But still not for 25k after tax. :D

    You are absolutely right, but I would also not work under 5000e after taxes and that would be just if I have no other option :)
    But to find a company that treats you with respect and as a human being and not as a number is very hard. Basically with everything you wrote you described 99.9% of the companies, unfortunately.

  • allowed to work from home 100%

    That maybe possible currently due to the pandemic but a lot of pen testing jobs require you to go onsite, especially internal infrastructure gigs.

    alt text

  • @sm4sh0ps Strange enough that pretty much all billboard become-a-pentester ads say the exact opposite.

    Hack The Box

  • @sparkla said:

    @sm4sh0ps Strange enough that pretty much all billboard become-a-pentester ads say the exact opposite.

    I wouldn't trust the adverts. Webapps may tend to be remote pentests but nearly all tests are carried out against environments which are not exposed to the internet/public.

    Most places I've seen expect the pentesters (even webapp ones) to turn up on site and be supervised by the security team.

    I've seen places do this for tests against AWS infrastructure... I cant say why, it just happens.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • @sparkla in the UK going onsite and living in hotels is just considered part of the job. Pen testers are expected to do assessments on web apps and infrastructure that is not remotely accessible.

    alt text

  • Type your comment> @TazWake said:

    expect the pentesters (even webapp ones) to turn up on site and be supervised by the security team.

    That kind of sucks to be supervised like you don't know what you are doing and they are supervising you. If they know better why don't they do it? Maybe I am wrong to say that but it feels undermining.

  • @Anonymus said:

    That kind of sucks to be supervised like you don't know what you are doing and they are supervising you. If they know better why don't they do it? Maybe I am wrong to say that but it feels undermining.

    Every organisation varies, but the supervision doesn't tend to be down to watching the commands, more a case of making sure that the scope is maintained and that as soon as anything is discovered they can start dealing with it.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Type your comment> @TazWake said:

    Every organisation varies, but the supervision doesn't tend to be down to watching the commands, more a case of making sure that the scope is maintained and that as soon as anything is discovered they can start dealing with it.

    When you put it that way it sounds nicer :)

    What are your thoughts about the salaries?

  • @Anonymus said:

    When you put it that way it sounds nicer :)

    :smile:

    What are your thoughts about the salaries?

    They vary wildly.

    Generally, I've seen brand new pentesters with little to no experience start around £35-40k in the UK.

    An experienced pentester would probably be asking for around £55-60k (regional variations are HUGE and if you work for big consultancies it is generally less).

    A very good pentester, or one with specialist knowledge, is probably looking at ~£70-90k.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • £35-40k before taxes is also nothing... :(

  • @Anonymus said:

    £35-40k before taxes is also nothing... :(

    So that depends on your perspective.

    If you are 21 years old, straight out of University it is roughly double what you will get anywhere else. I wouldn't take a role at that salary but then I wouldn't take an entry level role.

    The median salary for everyone in the UK working full time is about £30k, so for an entry-level pentester to start in the top half of salaries is pretty good. If the same person was a medical doctor, they'd be looking at about £23k to start.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • @sparkla Working at the customer's site is pretty much a must. You can usually negotiate the amount of traveling (e.g 30% of your overall working time, or less or more), but that will affect your salary. It's not necessarily that the customer doesn't trust you, but they usually don't want to expose everything to the internet. And VPN often is no option, too, simply due to regulatory reasons. And for infrastructure/OT tests over VPN, you simply would die from all the latency that will increase testing time by 200% or even more.
    Getting several benefits will definitely be the case. Especially in larger companies. But then again, those tend to pay less. And when they are "too large", you will have a lot of (ancient) processes involved that also might lower the steps for raises (like, e.g. "no more than 5%/year, since that's as we always did it").
    You want to work from home 100% of the time, then why on earth should any company provide a company-sponsored car to you? Also, you'd have to pay taxes for that, too.
    Flexible working hours are getting more common, yet still will it often be the case that you are only allowed to perform your tests during your customer's (extended) business hours. Simply because someone will have to restart/fix what you break. And trust me, it will break by the time the other side is on lunch break, or otherwise unavailable. But that highly depends on the target and scope.

    @everyone else in here, whining about the salaries: How about some cheese. Or at least a pint of realism. You get into that job as a beginner (at least that is what the discussion originally was about), and no, you are NOT the 31337 pentest sup4h4xx0r that you might imagine yourself.
    Yes, maybe the image from outside suggests pentesters being the InfoSec Rockstars. Sorry, but that's far from reality. It's a job you're getting paid to do. It might coincidentally be your passion. But that's as much as it will get. Why exactly should you get paid a lot more than e.g. a nurse/doctor/engineer?
    You might start the job with some experience. That's great, and it will definitely get you to the upper bounds of a beginner's salary. But that doesn't even remotely justify a senior's or subject matter expert's salary.

    Another thing is regional differences, as @TazWake already mentioned: Salaries vary a lot between different locations. In bigger cities like Munich, Hamburg, Berlin, the average rent (and other "life expenses") are a lot higher than e.g. in Rostock, Halle, Buxtehude, Bochum, etc. So, naturally, you'll get a fair amount more in those cities. But then again, a lot less will remain for savings/spare-time/etc.

    Moaning about taxes: "Switzerland has a max of 40% taxes". Sure, and those 2% more in Germany make a difference of 100€ per month with an annual netto income of 60k. The additional solidarity tax of 5.5% will be quit for 90% of all employees, next year.
    Yes, the US also have a lower taxes and (almost) no social security taxes. but they also don't really have a social security system. And I would definitely NOT want to exchange a slightly higher salary for having to pay all my health expenses on my own ;)

    I wouldn't work for less than 5000/month after taxes

    Great. Good luck finding a company that will pay a beginner 120k/year. Trust me, that will never happen.


    Hack The Box
    GREM | OSCE | GASF | eJPT

  • edited November 16

    @HomeSen said:

    Yes, the US also have a lower taxes and (almost) no social security taxes. but they also don't really have a social security system. And I would definitely NOT want to exchange a slightly higher salary for having to pay all my health expenses on my own

    I think this is the most significant difference, and why people are slightly misled by what they see as super well-paid jobs in places like major US cities. (note some regions of the US have pentesters earning US$60k and being comfortable vs ones in LA struggling on US$100k)

    Everything is a trade off - we can pay less tax and pay more for personal solutions, or more tax and know that the environment around us is there when we need it. For most people, it is generally cheaper to get the economy of scale by the state paying for things.

    Some people have the idea they are immortal and will never get sick, so object to paying towards nationalised solutions. I feel that ignores the reality of life.

    I also think there is an issue around the idea of what makes you "rich". I've met rich Germans, so it must be possible. I've also met poor Germans who are significantly richer than middle-class people in Sierra Leone and have better healthcare, life expectancy and "life comfort" than large swathes of the US.

    There is a social contract to be considered. If you have grown up with access to hospitals and doctors, roads which allow you to travel to and from work, police who reduce crimes against your & your property, a military which defends your life, fire service ready to save you in an emergency, municipal services who take away waste, a government that sets standards to make sure you have clean, drinkable water and can trust trivial things like food labels etc., then this has to be paid for.

    It is a shame lots of people claim to be "entrepreneurs" (etc) but basically take advantage of the state support for the first 22 years of their life, then run before they have to pay anything back into the pot.

    < / rant>

    Rants are my favourite bit of the Off-Topic section. I wish more people would do them.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

Sign In to comment.