Pen testers from Germany and Europe please infos

So I’ve never worked as a pentester or in Germany so take anything I say here with that in mind.

In the UK, most posts with “average salaries” are wildly inaccurate and cover an average between shockingly badly paid interns and senior directors. It’s also pretty irrelevant if there isn’t a job offering you that salary, it just makes you feel like you’ve been cheated or overpaid.

Because it is a wildly moving target, for me the only way to get a feel is to search for the job adverts and see what people are willing to offer.

Checking now, lots seem to show up with ranges like €50000 - 90000 per year which isn’t really helpful for getting an idea of what is normal.

Type your comment> @TazWake said:

So I’ve never worked as a pentester or in Germany so take anything I say here with that in mind.

In the UK, most posts with “average salaries” are wildly inaccurate and cover an average between shockingly badly paid interns and senior directors. It’s also pretty irrelevant if there isn’t a job offering you that salary, it just makes you feel like you’ve been cheated or overpaid.

Because it is a wildly moving target, for me the only way to get a feel is to search for the job adverts and see what people are willing to offer.

Checking now, lots seem to show up with ranges like €50000 - 90000 per year which isn’t really helpful for getting an idea of what is normal.

I think everything 7000e+ is ok. After Germany rips you off you end up with a decent salary :slight_smile:

Type your comment> @sparkla said:

I can say from experience, Switz isn’t 2x more expensive than Germany. The reason why people on the border shop in the other country is for fun, to have a trip and a good time, some new foods and that stuff. It depends a little on current exchange rates, so yeah the Switz frank can buy a little more if shopping in a € country, but that’s about like 5%. I’ve been to both Countries, but what is true is that lots of Germans try to work in Switz simply because the pay is better, and that is simply because Switz companies got more money than German.

And because taxes are smaller.

This is just insane what Germany does:

Income tax in Germany is progressive, starting at 1% and rising incrementally to 42% or for very high incomes, 45%. The tax rate of 42% applies to taxable income above €55,960 for 2019. As well as income tax, everyone has to pay solidarity tax (Solidaritätszuschlag or “Soli”), which is capped at 5.5% of income tax

And in Switzerland is Personal Income Tax Rate is 40%.

Germany does not allow you to be rich… Insane…

Type your comment> @Anonymus said:

Hello guys, I am am on my way to OSCP and I am planing to switch my current job(not IT related) to penetration tester, I just love it and planing a lot of certificates.

I’m in the same boat as you, so if you happen to be around Munich and you’re looking for a study partner, send me a PM.

Type your comment> @sparkla said:

I would be ok with lower pay, if the rest is ok. If I’m:

  • treated like a human being
  • respected for the amount of work I put into my education
  • allowed to work from home 100%
  • given an unlimited contract in terms of duration
  • offered real increments on salary (not like: “maybe in a few years you get 2 bags of potato chips extra”)
  • getting flexibel working hours
  • receiving real benefits and incentives, like a good company car, and not a fkin bus ticket + access to the fruit flatrate (whenever I read that I run away instantly. It’s like: “We totally care about your health and the environment” - Oh really? I’m fructose and bs intolerant)
  • having an interesting position according to my skills and chances to move up and not “Here’s your junior assistant role in a cubicle, you also need to make all customer support and take care about monetizing your projects”
  • in a friendly working environment and not everyone elbowing the next guy from day one
    … (yeah, there’s a lot more like this)

But still not for 25k after tax. :smiley:

You are absolutely right, but I would also not work under 5000e after taxes and that would be just if I have no other option :slight_smile:
But to find a company that treats you with respect and as a human being and not as a number is very hard. Basically with everything you wrote you described 99.9% of the companies, unfortunately.

allowed to work from home 100%

That maybe possible currently due to the pandemic but a lot of pen testing jobs require you to go onsite, especially internal infrastructure gigs.

@sparkla said:

@sm4sh0ps Strange enough that pretty much all billboard become-a-pentester ads say the exact opposite.

I wouldn’t trust the adverts. Webapps may tend to be remote pentests but nearly all tests are carried out against environments which are not exposed to the internet/public.

Most places I’ve seen expect the pentesters (even webapp ones) to turn up on site and be supervised by the security team.

I’ve seen places do this for tests against AWS infrastructure… I cant say why, it just happens.

@sparkla in the UK going onsite and living in hotels is just considered part of the job. Pen testers are expected to do assessments on web apps and infrastructure that is not remotely accessible.

Type your comment> @TazWake said:

expect the pentesters (even webapp ones) to turn up on site and be supervised by the security team.

That kind of sucks to be supervised like you don’t know what you are doing and they are supervising you. If they know better why don’t they do it? Maybe I am wrong to say that but it feels undermining.

@Anonymus said:

That kind of sucks to be supervised like you don’t know what you are doing and they are supervising you. If they know better why don’t they do it? Maybe I am wrong to say that but it feels undermining.

Every organisation varies, but the supervision doesn’t tend to be down to watching the commands, more a case of making sure that the scope is maintained and that as soon as anything is discovered they can start dealing with it.

Type your comment> @TazWake said:

Every organisation varies, but the supervision doesn’t tend to be down to watching the commands, more a case of making sure that the scope is maintained and that as soon as anything is discovered they can start dealing with it.

When you put it that way it sounds nicer :slight_smile:

What are your thoughts about the salaries?

@Anonymus said:

When you put it that way it sounds nicer :slight_smile:

:smile:

What are your thoughts about the salaries?

They vary wildly.

Generally, I’ve seen brand new pentesters with little to no experience start around £35-40k in the UK.

An experienced pentester would probably be asking for around £55-60k (regional variations are HUGE and if you work for big consultancies it is generally less).

A very good pentester, or one with specialist knowledge, is probably looking at ~£70-90k.

£35-40k before taxes is also nothing… :frowning:

@Anonymus said:

£35-40k before taxes is also nothing… :frowning:

So that depends on your perspective.

If you are 21 years old, straight out of University it is roughly double what you will get anywhere else. I wouldn’t take a role at that salary but then I wouldn’t take an entry level role.

The median salary for everyone in the UK working full time is about £30k, so for an entry-level pentester to start in the top half of salaries is pretty good. If the same person was a medical doctor, they’d be looking at about £23k to start.

@sparkla Working at the customer’s site is pretty much a must. You can usually negotiate the amount of traveling (e.g 30% of your overall working time, or less or more), but that will affect your salary. It’s not necessarily that the customer doesn’t trust you, but they usually don’t want to expose everything to the internet. And VPN often is no option, too, simply due to regulatory reasons. And for infrastructure/OT tests over VPN, you simply would die from all the latency that will increase testing time by 200% or even more.
Getting several benefits will definitely be the case. Especially in larger companies. But then again, those tend to pay less. And when they are “too large”, you will have a lot of (ancient) processes involved that also might lower the steps for raises (like, e.g. “no more than 5%/year, since that’s as we always did it”).
You want to work from home 100% of the time, then why on earth should any company provide a company-sponsored car to you? Also, you’d have to pay taxes for that, too.
Flexible working hours are getting more common, yet still will it often be the case that you are only allowed to perform your tests during your customer’s (extended) business hours. Simply because someone will have to restart/fix what you break. And trust me, it will break by the time the other side is on lunch break, or otherwise unavailable. But that highly depends on the target and scope.

@everyone else in here, whining about the salaries: How about some cheese. Or at least a pint of realism. You get into that job as a beginner (at least that is what the discussion originally was about), and no, you are NOT the 31337 pentest sup4h4xx0r that you might imagine yourself.
Yes, maybe the image from outside suggests pentesters being the InfoSec Rockstars. Sorry, but that’s far from reality. It’s a job you’re getting paid to do. It might coincidentally be your passion. But that’s as much as it will get. Why exactly should you get paid a lot more than e.g. a nurse/doctor/engineer?
You might start the job with some experience. That’s great, and it will definitely get you to the upper bounds of a beginner’s salary. But that doesn’t even remotely justify a senior’s or subject matter expert’s salary.

Another thing is regional differences, as @TazWake already mentioned: Salaries vary a lot between different locations. In bigger cities like Munich, Hamburg, Berlin, the average rent (and other “life expenses”) are a lot higher than e.g. in Rostock, Halle, Buxtehude, Bochum, etc. So, naturally, you’ll get a fair amount more in those cities. But then again, a lot less will remain for savings/spare-time/etc.

Moaning about taxes: “Switzerland has a max of 40% taxes”. Sure, and those 2% more in Germany make a difference of 100€ per month with an annual netto income of 60k. The additional solidarity tax of 5.5% will be quit for 90% of all employees, next year.
Yes, the US also have a lower taxes and (almost) no social security taxes. but they also don’t really have a social security system. And I would definitely NOT want to exchange a slightly higher salary for having to pay all my health expenses on my own :wink:

I wouldn’t work for less than 5000/month after taxes
Great. Good luck finding a company that will pay a beginner 120k/year. Trust me, that will never happen.

@HomeSen said:

Yes, the US also have a lower taxes and (almost) no social security taxes. but they also don’t really have a social security system. And I would definitely NOT want to exchange a slightly higher salary for having to pay all my health expenses on my own

I think this is the most significant difference, and why people are slightly misled by what they see as super well-paid jobs in places like major US cities. (note some regions of the US have pentesters earning US$60k and being comfortable vs ones in LA struggling on US$100k)

Everything is a trade off - we can pay less tax and pay more for personal solutions, or more tax and know that the environment around us is there when we need it. For most people, it is generally cheaper to get the economy of scale by the state paying for things.

Some people have the idea they are immortal and will never get sick, so object to paying towards nationalised solutions. I feel that ignores the reality of life.

I also think there is an issue around the idea of what makes you “rich”. I’ve met rich Germans, so it must be possible. I’ve also met poor Germans who are significantly richer than middle-class people in Sierra Leone and have better healthcare, life expectancy and “life comfort” than large swathes of the US.

There is a social contract to be considered. If you have grown up with access to hospitals and doctors, roads which allow you to travel to and from work, police who reduce crimes against your & your property, a military which defends your life, fire service ready to save you in an emergency, municipal services who take away waste, a government that sets standards to make sure you have clean, drinkable water and can trust trivial things like food labels etc., then this has to be paid for.

It is a shame lots of people claim to be “entrepreneurs” (etc) but basically take advantage of the state support for the first 22 years of their life, then run before they have to pay anything back into the pot.

< / rant>

Rants are my favourite bit of the Off-Topic section. I wish more people would do them.

@HomeSen said:

@sparkla Working at the customer’s site is pretty much a must. You can usually negotiate the amount of traveling (e.g 30% of your overall working time, or less or more), but that will affect your salary. It’s not necessarily that the customer doesn’t trust you, but they usually don’t want to expose everything to the internet. And VPN often is no option, too, simply due to regulatory reasons. And for infrastructure/OT tests over VPN, you simply would die from all the latency that will increase testing time by 200% or even more.
Getting several benefits will definitely be the case. Especially in larger companies. But then again, those tend to pay less. And when they are “too large”, you will have a lot of (ancient) processes involved that also might lower the steps for raises (like, e.g. “no more than 5%/year, since that’s as we always did it”).
You want to work from home 100% of the time, then why on earth should any company provide a company-sponsored car to you? Also, you’d have to pay taxes for that, too.
Flexible working hours are getting more common, yet still will it often be the case that you are only allowed to perform your tests during your customer’s (extended) business hours. Simply because someone will have to restart/fix what you break. And trust me, it will break by the time the other side is on lunch break, or otherwise unavailable. But that highly depends on the target and scope.

@everyone else in here, whining about the salaries: How about some cheese. Or at least a pint of realism. You get into that job as a beginner (at least that is what the discussion originally was about), and no, you are NOT the 31337 pentest sup4h4xx0r that you might imagine yourself.
Yes, maybe the image from outside suggests pentesters being the InfoSec Rockstars. Sorry, but that’s far from reality. It’s a job you’re getting paid to do. It might coincidentally be your passion. But that’s as much as it will get. Why exactly should you get paid a lot more than e.g. a nurse/doctor/engineer?
You might start the job with some experience. That’s great, and it will definitely get you to the upper bounds of a beginner’s salary. But that doesn’t even remotely justify a senior’s or subject matter expert’s salary.

Another thing is regional differences, as @TazWake already mentioned: Salaries vary a lot between different locations. In bigger cities like Munich, Hamburg, Berlin, the average rent (and other “life expenses”) are a lot higher than e.g. in Rostock, Halle, Buxtehude, Bochum, etc. So, naturally, you’ll get a fair amount more in those cities. But then again, a lot less will remain for savings/spare-time/etc.

Moaning about taxes: “Switzerland has a max of 40% taxes”. Sure, and those 2% more in Germany make a difference of 100€ per month with an annual netto income of 60k. The additional solidarity tax of 5.5% will be quit for 90% of all employees, next year.
Yes, the US also have a lower taxes and (almost) no social security taxes. but they also don’t really have a social security system. And I would definitely NOT want to exchange a slightly higher salary for having to pay all my health expenses on my own :wink:

I wouldn’t work for less than 5000/month after taxes
Great. Good luck finding a company that will pay a beginner 120k/year. Trust me, that will never happen.

Ok, I will answer this with a question. Are you gonna be honest and say, do you work for a salary of 5000 a month before taxes in Germany? - I don’t think so. So why putting people down with implying that pentesters in Germany have like less then 2000e after taxes?
Why we should get more then doctors/nurses, etc…? Nobody said that we should.
But if you look at the statistics in USA, it is a big difference. If you are young it is awesome but if you have a family its not a lot. You may go work any other job that does not require any knowledge what so ever. By your words sys admin have more money then a pentester?! I hope people will not believe in that… But thanks for sharing anyway

@Anonymus said:

Ok, I will answer this with a question. Are you gonna be honest and say, do you work for a salary of 5000 a month before taxes in Germany?

I cant speak for @HomeSen but I can add my take.

First off, the comment was about a beginner. A good security architect with a solid background in multiple platforms and lots of business experience can be earning about £100 - 120k a year in the UK. An entry-level pentester is earning about £35 - 45k.

For better or worse, pentesters are not the best-paid roles in infosec for most of their careers.

It is especially frustrating when you realise the pentest company is charging them out at £1500+ per day, but paying the tester about £150.

  • I don’t think so. So why putting people down with implying that pentesters in Germany have like less then 2000e after taxes?

I might have misunderstood this, but I suspect most pentesters in the UK are taking home about £3k per month before tax, simply because the number of entry level pentesters is pretty high vs the number of experienced CTL types.

Why we should get more then doctors/nurses, etc…? Nobody said that we should.

Starting salary for a Doctor in the UK is £23k rising to £28 in the second year.

Starting salary for a pentester in the UK is £35k+.

Seems like pentesters are rich.

But if you look at the statistics in USA, it is a big difference.

You cant compare between countries. Like I said, a pentester in LA is going to need 4 - 5 times what a pentester in Nowhere, North Dakota earns.

If you live somewhere that costs US$2300 for a one-bed appt (LA), your salary is always going to be different than somewhere costing US$800 (Fargo, ND).

Likewise, paying US$588 a month in healthcare (average in California) vs US$410 (average in ND) changes the balance.

If you are paying US$400 a month for healthcare, you might want to reflect on how that alone is half the total tax paid by someone in the UK earning £50k who gets fully free healthcare (no deductibles) and doesn’t have to pay state taxes.

If you are young it is awesome but if you have a family its not a lot. You may go work any other job that does not require any knowledge what so ever.

What job are you using as an example that pays more than this without any knowledge whatsoever?

The junior pentesters who you believe are woefully underpaid earn more than junior doctors who have to have a degree first. The junior pentester might have done a one week CEH, or several weeks self-study to pass OSCP, but equally might be entirely self taught from CTFs.

By your words sys admin have more money then a pentester?!

You’ve compared apples with fish there. I would go out on a limb and say a SysAdmin on £55k a year has a larger income than a junior pentester on £35k a year. That seems fairly simple maths.

Is a senior pentester with specialised skill earning more than your typical SysAdmin, yes. But that is a meaningless comparison. A senior sysadmin with specialised knowledge (especially of critical OT systems or mainframes) can easily be earning more than a typical pentester.

I hope people will not believe in that… But thanks for sharing anyway

Well, I kind of hope people here are good enough at basic maths to not need to believe it but YMMV.

Type your comment> @TazWake said:

@Anonymus said:

Ok, I will answer this with a question. Are you gonna be honest and say, do you work for a salary of 5000 a month before taxes in Germany?

I cant speak for @HomeSen but I can add my take.

First off, the comment was about a beginner. A good security architect with a solid background in multiple platforms and lots of business experience can be earning about £100 - 120k a year in the UK. An entry-level pentester is earning about £35 - 45k.

For better or worse, pentesters are not the best-paid roles in infosec for most of their careers.

It is especially frustrating when you realise the pentest company is charging them out at £1500+ per day, but paying the tester about £150.

  • I don’t think so. So why putting people down with implying that pentesters in Germany have like less then 2000e after taxes?

I might have misunderstood this, but I suspect most pentesters in the UK are taking home about £3k per month before tax, simply because the number of entry level pentesters is pretty high vs the number of experienced CTL types.

Why we should get more then doctors/nurses, etc…? Nobody said that we should.

Starting salary for a Doctor in the UK is £23k rising to £28 in the second year.

Starting salary for a pentester in the UK is £35k+.

Seems like pentesters are rich.

But if you look at the statistics in USA, it is a big difference.

You cant compare between countries. Like I said, a pentester in LA is going to need 4 - 5 times what a pentester in Nowhere, North Dakota earns.

If you live somewhere that costs US$2300 for a one-bed appt (LA), your salary is always going to be different than somewhere costing US$800 (Fargo, ND).

Likewise, paying US$588 a month in healthcare (average in California) vs US$410 (average in ND) changes the balance.

If you are paying US$400 a month for healthcare, you might want to reflect on how that alone is half the total tax paid by someone in the UK earning £50k who gets fully free healthcare (no deductibles) and doesn’t have to pay state taxes.

If you are young it is awesome but if you have a family its not a lot. You may go work any other job that does not require any knowledge what so ever.

What job are you using as an example that pays more than this without any knowledge whatsoever?

The junior pentesters who you believe are woefully underpaid earn more than junior doctors who have to have a degree first. The junior pentester might have done a one week CEH, or several weeks self-study to pass OSCP, but equally might be entirely self taught from CTFs.

By your words sys admin have more money then a pentester?!

You’ve compared apples with fish there. I would go out on a limb and say a SysAdmin on £55k a year has a larger income than a junior pentester on £35k a year. That seems fairly simple maths.

Is a senior pentester with specialised skill earning more than your typical SysAdmin, yes. But that is a meaningless comparison. A senior sysadmin with specialised knowledge (especially of critical OT systems or mainframes) can easily be earning more than a typical pentester.

I hope people will not believe in that… But thanks for sharing anyway

Well, I kind of hope people here are good enough at basic maths to not need to believe it but YMMV.

@TazWake I highly respect you as a professional and you are always nice and helpful so I will take your word for it, and thanks a lot for sharing.
You obviously know better then we who are not working in the field… Doctors are earning a lot more here as far as I know.
But never mind I think we all got the picture now and we have to decide if we gonna take it or not…
I know I definitely wont change my job for that salary, only if, God forbid , I am forced to…

But I will do the certs anyway because it is fun and I wish to learn. It is addictive :slight_smile:

Thank you for informing us about what to expect, that is what this topic was all about.

@Anonymus said:

@TazWake I highly respect you as a professional and you are always nice and helpful so I will take your word for it, and thanks a lot for sharing.

Thank you.

You obviously know better then we who are not working in the field…

With the caveat that outside the UK and parts of the US, my knowledge is simply from googling open jobs.

Doctors are earning a lot more here as far as I know.

But that brings us back to the apples vs overcoats comparisons.

In the UK, a specialist surgeon working in the private sector with 15 years experience will be earning orders of magnitude more than an entry-level pentester or entry-level doctor.

It is a bit of a mistake to try and compare things which aren’t similar. If you have 15 years experience as a security consultant with specialisations in niche, yet required, areas, you will probably be the same as the specialist surgeon. But you probably wont refer to yourself as a pentester any more. The ground is less certain though.

I have a friend who worked as a pentester from about 2005 onwards. In 2011 he was very much ahead of the curve with mobile application security and was being paid well above averages by financial services organisations who were racing to develop secure applications. He wasn’t being paid to pentest them, he was being paid for his in-depth security knowledge which he developed through pentesting.

Sadly, once people realise this was earning around £1000 a day (vs £150-300 for pentesters), lots of people flocked to it, and they came up with frameworks to make it easier for everyone and now, you wont get a single penny extra for this “specialisation”.

But never mind I think we all got the picture now and we have to decide if we gonna take it or not…

Awesome. As a “profession”, it isn’t for everyone and, despite what training providers claim, I am not convinced there is a skill shortage either.

I know I definitely wont change my job for that salary, only if, God forbid , I am forced to…

That’s fine and a perfectly valid decision. The hash reality is changing any job into a brand new profession with a view to earning more money is a bit mistaken.

I am very well paid as DFIR investigator. If I thought I wanted to follow a new passion and become a Solicitor I would need to reconcile the fact that my income would plummet for the first 10 - 15 years. It is almost certain that a solicitor specialised in corporate law with 20 years experience will be earning more than I am, but it will take 20 years for me to get to that point.

There are elements in which the progress can be short-circuited (for example, I already have corprate experience and know how to read legal documents) but it isn’t a significant reduction.

If a Solicitor is earning £100k a year and they decide to be a pentester, they will probably never get back to the same income in their working life.

Just to reiterate though - the better paid infosec jobs aren’t pentester roles. The real money comes from management, leadership, strategy, boardroom experience etc. There is nothing to stop pentesters going down this path, but it really is a different role. (And for better or worse, there is no requirement for any pentester experience for most well paid infosec jobs).

But I will do the certs anyway because it is fun and I wish to learn. It is addictive :slight_smile:

And that is super important. Earning well really does matter but if you spend 80 hours a week doing a job you hate, your life passes you by very, very quickly.

As an example, 10 years ago I could have decided to become a security architect and push into cloud designs, TOGAF and other good stuff. This is arguably better paid than DFIR by about 20% and there are lots more job opportunities.

However I detest it. I have tried reading the TOGAF documents and I fall asleep at the first page. It could pay £1m a second and I would still hate and still be very, very bad at it.

Thank you for informing us about what to expect, that is what this topic was all about.

You are welcome. I love the off-topic discussions because we all get to share our knowledge, ideas, hopes and experiences.